Informationmanagers.ca Logo
How to Manage a Privacy Breach in Your Canadian Practice

How to Manage a Privacy Breach in Your Canadian Practice

How to Manage a Privacy Breach in Your Canadian Practice Workshop

Have you ever heard about a privacy breach at another practice and thought…

“I hope that never happens to us.”

The reality is — privacy breaches can happen in any healthcare practice, regardless of size, specialty, or technology. Whether it’s a misdirected fax, unauthorized access to a chart, lost device, or cyber incident, breaches are not a matter of if — but when.

What makes the difference is how prepared you are to respond.

I’m tickled pink to  partner with Kayla Das to deliver a live virtual workshop designed to provide practical, step-by-step guidance for Canadian healthcare practices. Kayla Das B.Rec, BSW, MSW, RSW is a trusted Business Coach For Therapists and Counsellors.

Live Virtual Workshop

How to Manage a Privacy Breach in Your Canadian Practice

In this interactive on-line session, we’ll walk you through what to do when a privacy breach occurs — before you ever have to face one in real time.

This workshop is ideal for:

  • Canadian clinic managers
  • Privacy officers
  • Practice owners
  • Social workers, counsellors, and mental health leaders
  • Clinical supervisors and consultants

If you are responsible for protecting patient information, this training will help you strengthen your breach response readiness.

What We’ll Cover

Participants will learn:

  • The difference — and overlap — between confidentiality and privacy
  • Legislative, regulatory, and professional practice requirements across Canada
  • Why privacy breaches are a significant risk you should prepare for
  • How to recognize when a breach has occurred
  • The 4-Step Response Plan for managing a privacy breach
  • Practical steps to prevent breaches before they happen
    … and more

 

Important for Ontario Practitioners

Ontario health information custodians (practice owners) are required to submit annual privacy breach statistics to the Ontario  Information and Privacy Commissioner by March 1 each year.

If you’re unsure what must be reported — or how to prepare — this workshop will address those requirements.

 Workshop Details

Date: Tuesday February 24, 2026
Time: 9:00 AM PST / 12:00 PM EST / 10 AM MT
Length: Approximately 90 minutes

Bonus Benefits

✔️ Replay access available until March 10, 2026
✔️ Certificate of Attendance available for live participants (may support continuing education credits)

Privacy breaches are stressful — but managing them doesn’t have to be overwhelming when you have a plan.

We hope you’ll join us for this practical, supportive session designed to help you protect your patients, your practice, and your professional reputation.

Data Privacy Day 2026 Resources For You!

Data Privacy Day 2026 Resources For You!

Data Privacy Day 2026 Resources for You!

Data Privacy Day is an internationally recognized day dedicated to creating awareness about the importance of privacy and protecting personal information.

That means a lot to me and I think it means a lot to you, too. I think it is important that we give our patients and clients the gift of privacy. And that we have the right tools and resources for our employees to make good privacy and security decisions in our businesses.

Information Managers Ltd. is a Data Privacy Champion!

Data Privacy Week Champion badge 2024

As a DPD Champion, Information Managers recognizes and supports the principle that organizations, businesses, and government all share the responsibility to be conscientious stewards of data by respecting privacy, safeguarding data, and enabling trust.

Each of us is responsible to manage our name and our identity. When you share your personal information, you have the right and responsibility to ask the person or business why they need the information and how they will protect your personal information.
Jean L. Eaton

Your Practical Privacy Coach, Information Managers Ltd.

Data Privacy Day Resources

5 Steps To Prevent Employee Snooping

SAY NO TO SNOOPING!

If an individual affiliate knowingly breaches the privacy and security of health information, and the custodian can demonstrate that reasonable safeguards (including privacy awareness training) were in place, the individual affiliate can be charged under the Health Information Act. Fines of up to $50,000 may be applied to the individual, in addition to other sanctions from their employers and/or their professional regulatory colleges where applicable (HIA s.107).

What Is Snooping?

Looking at someone’s personal information without having an authorized purpose to access that information to do your job is known as ‘snooping’.

Even when you are “just looking” at personal information but don’t share that information with anyone else, this is still a privacy breach.

It is illegal.

Snooping incidents are on the rise and can cost you time, money, heartache, and headache in your practice.

When there is an offence under the privacy legislation like the Health Information Act, there may be an investigation, charges and court appearances, fines, penalties, and loss of employment.

Snooping is entirely preventable.

How Can You Prevent Employee Snooping?

Let’s take a look at the pro-active steps that you can take today to prevent employee snooping.

Download the Practice Management Success Tip 5 Steps to Prevent Employee Snooping

The Practice Management Success Tip, 5 Steps to Prevent Employee Snooping, will help you

  • Take 5 practical steps to prevent employee snooping.
  • Provide clarity about what is considered a privacy breach.
  • Contribute to the health information privacy compliance in your healthcare practice.

Get 5 Steps to Prevent Employee Snooping HERE!

Protect Your Organization and Your Patients With a Privacy Awareness Quiz

Equip your staff with the information they need to confidently and correctly handle personal health information.

Healthcare businesses need privacy awareness training to support key policies and procedures, and risk management programs need a privacy awareness training program.

Reasonable Safeguards

As an employer and healthcare provider, you are responsible to provide training to all of your employees about privacy awareness.

If you don’t provide the training, or if the employees don’t understand the policies and there is a privacy breach, then the healthcare provider is more likely to be held accountable under the legislation and face penalties, including fines and even prison!

Patients value the privacy and security of their information.

Healthcare providers and clinic managers value privacy and security, and they value not having adverse results as a lack of compliance or patient safety issues.

If patients don’t feel that the healthcare provider will keep their information confidential and secure, patients may choose not to share their information, which may impact their healthcare and treatment.

When we are privacy aware, we can better respond to patients’ questions and build their trust in the quality of services that we provide.

Download the Privacy Awareness Quiz to use today to train your employees and protect your patients’ health information.

Download the Privacy Awareness Quiz

Privacy Breach Nugget: When Patient “Success Stories” Become a Privacy Breach

Privacy Breach Nugget: When Patient “Success Stories” Become a Privacy Breach

When Patient “Success Stories” Become a Privacy Breach

Privacy Breach Nugget

Ever wonder how privacy breaches happen—and what you can do to stop them? Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s unpack today’s case and explore what went wrong, what worked, and how you can apply these insights to protect patient information.

What Happened

Cadia Healthcare Facilities, which is a rehabilitation, skilled nursing, and long-term care services provider with 5 locations located in Delaware, US.

Cadia posted patient names, photographs, and detailed health information on its public-facing website as part of a marketing campaign featuring patient “success stories.” These disclosures were made without obtaining valid written authorization from the patients whose information appeared on the website.

4 Step Privacy Breach Response

Cadia’s management of the privacy breach can be examined using the 4 Step Response Plan framework.

Step 1 – Spot and Stop

Cadia had procedures that required employees to obtain a written consent from patients before sharing their testimonials. Despite this, the Office of Civil Rights (OCR) received a complaint in September 2021 alleging that patient information had been disclosed without authorization.

OCR’s investigation ultimately confirmed that the protected health information (PHI) of 150 patients had been disclosed without proper authorization. Cadia was formally notified of these findings in February 2022.

Step 2 – Investigate

Cadia conducted an internal investigation and on March 2022 removed all the success stories from their social media and website and ended the marketing campaign.

However, during this process, the organization deleted the content before confirming which patients had valid written consent on file, making it more difficult to accurately determine the full scope of unauthorized disclosures.

Step 3 – Notify

Cadia initially failed to notify affected patients of the privacy breach, as required. Notification obligations were later addressed as part of the enforcement process. A public notice regarding the breach can now be found on the Cadia website.

Step 4 – Prevent the Breach from Happening Again

According to the OCR settlement details:

  • Cadia agreed to pay a $182,000 USD penalty
  • A Corrective Action Plan (CAP) was imposed, including two years of OCR monitoring and reporting
  • Cadia failed to properly implement its existing administrative privacy policies
  • Cadia is required to:
    • Revise its privacy policies and procedures
    • Provide privacy training to all staff, including marketing personnel
    • Implement stronger authorization processes before using patient information for marketing
  • Cadia must now notify all affected individuals whose PHI was disclosed without authorization

 

Website and Social Media Tips

Custodians are responsible for ensuring that patients’ health information is collected, used, and disclosed in compliance with health privacy legislation, such as Alberta’s Health Information Act (HIA) and Ontario’s Personal Health Information Protection Act (PHIPA).

It’s also important to ensure your practices align with professional college standards related to advertising, professionalism, and confidentiality.

Here are key questions to include in your website and social media compliance checklist before collecting or using patient testimonials:

  • What is your clinic’s approval process before content is posted online?
  • Has the patient provided written consent for their information to be used?
    • If a photograph is included, does the consent explicitly authorize the use of images?
  • Who authorizes the content before it is published?
    • For example: the healthcare provider, lead custodian, social media lead, or privacy officer?
  • Before posting, has the content been reviewed for compliance with:
    • Health privacy legislation?
    • Professional college standards?
  • Does your marketing vendor understand your privacy obligations?
    • Do you have a written agreement in place requiring the vendor to protect the confidentiality of personal health information?

Also See

Is your website secure? Take the Website Self-Assessment from Elevated Business Solutions.

Do you have a website for your healthcare practice in Ontario? PHIPA Website Guide from Elevated Business Solutions will help you.

Take-Aways

The Cadia case is a reminder that policies alone are not enough. Clinics must ensure that privacy requirements are understood, followed in practice, and applied consistently across all teams, including marketing and external vendors. Taking the time to review your website and social media practices now can help prevent a costly and public privacy breach later.

You May Also Be Interested In

Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information

3rd Largest Fine Ever Under the HIA

References

Cadia Healthcare Facilities. Notice of Success Story Incident. https://cadiahealthcare.com/wp-content/uploads/2025/06/Cadia_Notice-1.pdf

Health and Human Services. HHS’ Office for Civil Rights Settles HIPAA Investigation of Cadia Healthcare Facilities for Disclosure of Patients’ Protected Health Information. 2025Sept30. https://www.hhs.gov/press-room/ocr-settles-hipaa-with-cadia-healthcare-facilities.html

Help Me With HIPAA. Did Anyone Even Ask If It Was OK? – Ep 531 podcast. 2025Oct17 https://helpmewithhipaa.com/did-anyone-even-ask-if-it-was-ok-ep-531

Why “Demonstrable Accountability” Matters

Why “Demonstrable Accountability” Matters

Why “Demonstrable Accountability” Matters

Does Your Privacy Program Have ‘Demonstrable Accountability’?

The first Ontario decision to include an Administrative Monetary Penalty (AMP) under the Personal Health Information Protection Act (PHIPA) shows how serious the consequences can be when personal health information (PHI) is used for an unauthorized secondary purpose.

Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s dive into what went wrong, what worked, and how you can apply these insights to strengthen your privacy program.

What Happened

This case includes the Windsor Regional Hospital, Chatham-Kent Hospital Alliance, Erie Shores Healthcare, WE Kidz Pediatrics, and Dr. Omar Afandi.

Between April 20 and May 7, 2024, Dr. Afandi accessed the shared electronic health record (EHR) system of CKHA’s Women’s and Children’s Program. He used it to identify newborns so he could contact their parents to offer circumcision services at his private practice, WE Kidz Pediatrics.

Several parents reported receiving these unsolicited calls and complained to the hospitals. Dr. Afandi later stated he did not realize these accesses were unauthorized under PHIPA.

Managing the Breach

We can analyze the hospitals’ and clinic’s response using the 4-Step Response Plan.

Step 1 – Spot and Stop

The breach was reported by patients who received unsolicited contact from the physician.

The Chief of Staff wrote to Dr. Afandi on May 15, 2024, advising that his actions constituted an unauthorized collection and use of PHI and inviting him to withdraw his reappointment application with the hospital.

Step 2 – Investigate

The hospital conducted an internal investigation and notified the Information and Privacy Commissioner (IPC).

Records showed that Dr. Afandi had completed Privacy, Security, and Confidentiality training in October 2020 and had signed a confidentiality agreement with WRH. He also confirmed he reviewed WRH’s privacy module again when he reapplied in April 2024.

Step 3 – Notify

The hospitals reported the breach to the IPC on May 31, 2024, and to the College of Physicians and Surgeons of Ontario on June 1, 2024.

Notification letters were sent to potentially affected families the week of July 2, 2024, describing the incident, the PHI involved, and corrective actions. A hotline was provided for questions.

Step 4 –Prevent the Breach from Happening Again

AMP powers to address a privacy breach signal a new era of active enforcement in Ontario’s health privacy landscape.

Administrative Monetary Penalties (AMPs) came into effect under PHIPA on January 1, 2024. This update to the legislation gives the Information and Privacy Commissioner (IPC) authority to issue AMPs of up to $50,000 for individuals and $500,000 for organizations in cases of PHIPA non-compliance.

In this case, the Commissioner exercised those new powers and fined:

  • Dr. Afandi (individual)$5,000
  • WE Kidz Pediatrics (clinic as custodian)$7,500

Both were penalized for unauthorized access and use of PHI for personal gain.

The IPC found that WE Kidz opened without a compliant privacy program — a key factor in the penalty decision. 

WE Kidz was also required to complete privacy training and develop formal privacy policies and procedures. The Commissioner also recommended that WRH improve its record-keeping and monitoring to better demonstrate compliance in future audits.

Commissioner’s Investigation

The IPC emphasized the importance of “demonstrable accountability.”

“Demonstrable accountability” refers to a repeatable and evidence-based system of data governance whereby organizations can show regulators and individuals how they meet their legal and professional responsibilities in practice.

In the data regulatory context, the concept has evolved beyond basic checklist compliance. It now requires organizations to prove that their accountability mechanisms are active and effective — that safeguards are working as intended to reasonably protect personal health information.

In other words, demonstrable accountability means being able to measure, document, and demonstrate that privacy protections are in place, maintained, and effective — not just written in a policy.

Being able to demonstrate compliance is a regulatory expectation under PHIPA — and it’s the key to avoiding costly penalties.

Demonstrable Accountability infographic Information Managers Ltd.

Under Section 10 of PHIPA, custodians must have information practices describing how they collect, use, disclose, retain, and safeguard PHI — and they must comply with those practices in day-to-day operations.

Take-Aways

✅ “Demonstrable accountability” means having evidence that your privacy program is working — not just written policies on a shelf.

✅ Maintain dated policies, training checklists, and signed confidentiality agreements for every team member.

✅ Replace “professional deference” with consistent expectations — all healthcare providers must complete privacy training and demonstrate understanding.

✅ Document and review your privacy program annually to ensure that safeguards and practices are effective in real life.

✅ Unauthorized secondary use of PHI — even for legitimate healthcare services — is a serious breach and can result in financial penalties.

Need Help Training Your Privacy Team?

Join the Practice Management Success Membership to access privacy awareness training, templates, and resources to strengthen your privacy management program.

Reference

Information Privacy Commissioner of Ontario. PHIPA Decision 298. August 28, 2025. https://www.ipc.on.ca/en/decisions/latest-decisions/phipa-decision-298

 

You May Also Be Interested In

Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information

3rd Largest Fine Ever Under the HIA

Privacy Breach Nugget: Why Documentation Matters in Privacy Breach Investigations

Privacy Breach Nugget: Why Documentation Matters in Privacy Breach Investigations

Investigation Tips Following the NWT Health Authority Incident

When employees make mistakes that result in a privacy breach, the custodian is held responsible to ensure that appropriate investigations are performed. This includes appropriate documentation of the privacy breach incident and sanctions when indicated.

The NWT Information and Privacy Commissioner (IPC) opened an investigation into the Northwest Territories Health and Social Services Authority (NTHSSA) after a reported privacy breach in 2024. This review aimed to assess whether the health authority had adequate safeguards in place to investigate and prevent similar future incidents.

Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s dive into what went wrong, what worked, and how you can apply these insights to strengthen your privacy program.

What Happened

In April 2024, a patient filed a complaint with the nurse-in-charge at a health centre in the Northwest Territories. The complaint alleged that a clerk had inappropriately shared the patient’s personal health information with a family member during a casual conversation.

The nurse-in-charge apologized to the patient and escalated the issue to the regional manager. The clerk denied disclosing the health information, but the health authority concluded the incident had indeed occurred.

The Commissioner emphasized that there was no ill intent, stating:

“The interaction between the clerk and the sister was spontaneous and indicates a simple lapse in judgment.”

Managing the Breach

The NTHSSA’s management of the privacy breach can be examined using the 4 Step Response Plan.

Step 1 – Spot and Stop

The privacy breach was identified by the patient and reported to the nurse in charge and escalated to the regional manager.

Step 2 – Investigate

An investigation was initiated. While the clerk denied the allegation, the health authority determined a breach had occurred.

However, the Commissioner noted a serious concern: the investigation was poorly documented. If notes were taken, they could not be located or produced during the review.

Step 3 – Notify

The patient and NTHSSA (the custodian) was aware of the breach. No further notification was required.

Step 4 – Prevent the Breach from Happening Again

The health authority directed the clerk to:

  • Complete updated privacy training
  • Review the oath of office
  • Review patient confidentiality policies

No further disciplinary action was taken.

Commissioner’s Investigation

The IPC made several key recommendations:

  • Equip investigators: Ensure staff who investigate privacy breaches are properly trained and supported to conduct effective, timely, and well-documented investigations.
  • Enforce sanctions: Ensure managers understand the range of disciplinary options available and are aware of their obligation to apply reasonable disciplinary measures when warranted.
  • Annual privacy training: Reinforce the Mandatory Training Policy by ensuring all employees complete refresher privacy training every year.
  • Use real examples: Incorporate this privacy breach as a case study in future privacy training to help employees understand their obligations—at work and outside of work.

Take-Aways

Annual privacy training is not enough.

Training must include real-world, job-relevant examples and emphasize how privacy rules apply in everyday situations.

When employees make mistakes, it’s the custodian’s responsibility to lead an appropriate and well-documented investigation—not just revisit outdated training.

A strong privacy culture includes tools, training, and clarity. Equip your investigators, privacy officers, and managers with the skills they need to respond appropriately.

For more on how to manage privacy-related employee errors, listen to the podcast:

Managing Employees When They Make Mistakes – Episode #105

Need Help Training Your Privacy Team?

Ask me about Practical Privacy Officer Strategies training to strengthen your internal investigation process and build a more resilient workplace.

Reference

NWT IPC File Number: 24-950-6 on April 4, 2025Northwest Territories Health and Social Services Authority (Re), 2025 NTIPC 97 (CanLII), <https://canlii.ca/t/kc0s6>, retrieved on 2025-06-09

You May Also Be Interested In

Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information

3rd Largest Fine Ever Under the HIA

AI Scribes in Canada

AI Scribes in Canada

 

AI Scribe in Canada

A lot has changed recently on new AI scribe initiatives in Canada.

A lot has changed recently with AI scribe initiatives in Canada. Here’s a quick update and resources to help your clinic make informed decisions.

What is AI?

Artificial intelligence (AI) is an advanced form of information processing that helps automate or enhance tasks. In healthcare, AI doesn’t replace providers—it supports them. Clinicians still guide its use, review outputs, and make informed decisions.

AI can reduce administrative burden and help address physician burnout. Importantly, it should not be used to increase patient volumes. Instead, it is a tool to enhance care and support the physician’s role.

AI tools typically combine hardware, software, and data. Even familiar tools like Microsoft Copilot or ChatGPT follow this model. In healthcare, software is often applied to patient data, which means privacy and transparency are critical.

What Is an AI Scribe?

“AI Scribe” is a broad term for tools that help generate clinical notes. Common workflows include:

  • Dictation: provider speaks, and AI formats the note.
  • Live Listening (also called Ambient Listening): AI listens during a patient visit and drafts the note based on the conversation.
  • Advanced features: some tools analyze lab trends, suggest diagnoses, or remind providers about follow-ups.

See my article Thinking About Using AI Scribe in Your Healthcare Practice? for additional background.

Why AI Governance Matters

Each clinic must manage how personal health information (PHI) is collected, used, accessed, and disclosed—especially when introducing new technology.

An AI governance framework provides a structured approach to address risks, ethics, and compliance. Think back to when computers first arrived in clinics: there was hype, confusion, and risk. Eventually, we built vendor vetting processes, training, and structured implementation. The same is true today with AI.

Key principles:

  • Create written procedures for evaluating vendors.
  • Set clear expectations: employees should not independently adopt AI tools.
  • Encourage open discussion and collaborative decision-making.

AI Governance and Accountability Framework

Just as it was never appropriate for individuals to bring their own computers from home to manage patient records, it is not appropriate for clinicians or staff to adopt AI tools on their own.

Introducing AI into a clinic requires a collaborative, structured approach. An AI governance framework helps organizations manage risks, ethics, and compliance requirements, including new or emerging risks.

Every clinic should have written procedures that:

  • Set clear expectations for evaluating and selecting vendors.
  • Prohibit staff from independently implementing AI tools.
  • Encourage open discussion and a culture of accountability when considering new technologies.

Without this oversight, indiscriminate use of AI can compromise the accuracy, integrity, and security of personal health information (PHI) — and create risks for the entire organization.

Implementation: Not Plug and Play

AI adoption requires planning. Assign responsibility and accountability for implementation and monitoring. Include your privacy officer in this role.

Your plan should include:

  • Staff training and awareness
  • Confidentiality and end-user agreements
  • Cybersecurity and technical safeguards

Do You Need a Privacy Impact Assessment (PIA)?

Yes! If an AI system introduces new collections, uses, or disclosures of PHI, a PIA is required.

Custodians must ensure PHI is protected against theft, loss, and unauthorized use or disclosure, and that records are securely retained, transferred, and disposed of. This includes ensuring vendors have sufficient safeguards in place.

Recent Resources

Here are a few current references to support your decision-making:

Canada Health Infoway announced in May 2025 a program offering one-year fully funded one-year licenses for eligible primary care providers across Canada. Visit Canada Health Infoway to register for updates and eligibility notifications.

Artificial Intelligence (AI) Scribe Privacy Impact Assessment Guidance developed by the Office of the Information and Privacy Commissioner (OIPC) of Alberta.  September 22, 22025.

Canada Health Infoway Supports AI Scribe Implementation in Alberta with Reference to OIPC Privacy Guidance – September 22, 2025

Contractual Safeguards – Ontario MD Guidance – AI Scribes

Vendor of Record list, Supply Ontario – This list features qualified solutions that meet the needs of clinicians

AMA Artificial Intelligence Principles and Policy, February 7, 2025

Need help getting started with your AI privacy and implementation plan?

      • Explore our blog posts on AI and privacy.
      • Join the Practice Management Success membership for training, templates, and discussions.
      • Or ask me directly about PIA consultation services to support your clinic’s AI implementation.
 
 

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

 
Build a Strong Privacy Management Program for Your Clinic With These 5 Critical Modules

Build a Strong Privacy Management Program for Your Clinic With These 5 Critical Modules

Struggling to Learn Your Role As A Privacy Officer?

In many small healthcare practices, the privacy officer is also the clinic manager, healthcare provider, IT technician, or business owner. It’s no surprise that new privacy officers feel overwhelmed trying to balance competing responsibilities.

Without a clear plan, you may find that you

  • Panic when a patient asks for their information for access or correction.
  • Scramble when new employees and healthcare providers join your clinic . . .and suddenly realize that you never got around to providing privacy and cybersecurity awareness training.
  • Hope that your practice will not be tapped on the shoulder for a practice review by your college or the OIPC.
  • Ignore privacy breach and hope no one else notices.
  • Avoid difficult decisions with your owners / staff who insist on doing things their way – even when it is not privacy compliant.
  • Never get ‘review privacy impact assessment’ and ‘review privacy policies and procedures’ off of your to-do list.
  • Avoid discussing privacy and security with your EMR and computer networks managed service providers because you are unsure of what questions to ask and what types of answers you should receive.

If you don’t have a written privacy management program and action plan, you are missing the systems that prevent small issues from becoming privacy and security incidents.

The good news? Organizations with an active privacy officer and privacy management program are less likely to experience breaches and report better staff engagement and patient trust.

Privacy Is Good For Business

Strong privacy practices aren’t just about legal compliance. Policies, procedures, and systems improve communication, reduce risk, and support better decision-making.

A practical privacy management program creates accountability for the collection, use, and disclosure of health information, while demonstrating compliance to regulators and professional colleges.

Based on my experience, the five critical modules of a privacy management program are:

  1. Know Your Obligations
  2. Train
  3. Privacy Breach Management
  4. Document your Privacy Management Program
  5. Access and Disclosure

Module 1—Know your Obligations

Accountability starts with your healthcare provider(s)—also known as “custodians.” They are legally responsible for the privacy, confidentiality, and security of personal health information (PHI).

Custodians can delegate day-to-day tasks to a privacy officer, often the clinic or practice manager in smaller settings. Business owners also have obligations for employee and customer information. Together, the healthcare provider, business owner, and privacy officer form a trifecta of authority responsible for privacy compliance.

Knowing your obligations means:

  • Establishing clear roles and accountability
  • Identifying all types of personal and health information in your practice
  • Understanding how privacy legislation applies to your operations

Training for custodians and privacy officers is often required to build confidence and competence in these responsibilities.

Module 2 – Training

Privacy training is essential and must be consistent across your organization. Every staff member—new and experienced—should complete privacy awareness and cybersecurity training, and you should document attendance.

Effective training includes both formal and informal opportunities:

  • Formal: orientation programs, annual refreshers, and documented privacy awareness training
  • Informal: short reminders in staff meetings, activities tied to events like Data Privacy Day or Cybersecurity Awareness Month

Don’t overlook staff moving into new roles—promotions are an ideal time for targeted training about new responsibilities, such as authorizing users or supervising others.

Module 3 – Privacy Breach Management Plan

Every practice needs a written privacy breach management procedure. The privacy officer should ensure staff know how to recognize and report a breach, and custodians must be notified promptly.

Your plan should cover:

  • How to contain and investigate suspected breaches
  • Sanctions for non-compliance
  • Notification to patients and regulators when required

The privacy officer will manage mandatory privacy breach notification requirements under the health privacy legislation like the Alberta Health Information Act (HIA), Ontario Personal Health and Information Protection Act (PHIPA) and the Personal Information Protection of Electronic Documents Act (PIPEDA) and other province’s legislation.

Module 4 – Document: The Backbone of Privacy Compliance

Privacy training is essential and must be consistent across your organization. Every staff member—new and experienced—should complete privacy awareness and cybersecurity training, and you should document attendance.

Effective training includes both formal and informal opportunities:

  • Formal: orientation programs, annual refreshers, and documented privacy awareness training
  • Informal: short reminders in staff meetings, activities tied to events like Data Privacy Day or Cybersecurity Awareness Month

Don’t overlook staff moving into new roles—promotions are an ideal time for targeted training about new responsibilities, such as authorizing users or supervising others.

Module 5 – Access and Disclosure: Ensuring Patient Rights

Patients and employees have the right to access and correct their information. Release of information (ROI) policies and procedures are essential.

Your ROI plan should:

  • Define clear steps for handling requests
  • Train staff on how to respond appropriately
  • Align with legislation and college standards of practice

Doing this well helps you avoid complaints and breaches, improves efficiency, and strengthens patient trust.

Bringing It All Together

Being a privacy officer doesn’t have to feel overwhelming. With a structured privacy management program built on these five modules, you’ll have the systems to protect patients, support your staff, and strengthen your business.

If you’re a privacy officer in a healthcare practice and want practical strategies you can apply right away, join the upcoming Practical Privacy Officer Strategies training.

Training starts October 9, 2025

Register here https://informationmanagers.ca/ppo

Not sure if this is for you?

Send me an email and ask me! I’m happy to mentor you and help you assess your practice management and privacy compliance priorities.

Do You Want To Be A Confident Healthcare Privacy Officer?

Do You Want To Be A Confident Healthcare Privacy Officer?

Understanding the Role: What Is a Privacy Officer?

privacy officer is a key employee in a healthcare organization who is named by the healthcare provider (custodian) and assigned the responsibility to oversee all activities related to the implementation of, and adherence to, the organization’s privacy practices, and to ensure operational procedures are in compliance with relevant privacy laws. The Privacy Officer monitors employees and systems about how information is collected, used, and disclosed and access to identifying information.

A privacy officer may be known by other titles like privacy compliance officer or a security officer.

If your healthcare business involves the collection, use, and disclosure of your clients’ and patients’ personal health information, a privacy officer is necessary in order to meet legislated requirements.

Consequences of Operating Without a Privacy Officer

Healthcare practices without a privacy officer often experience confusion about how patients’ personal health information should be collected, used, and disclosed. Patients may complain about lack of access to their personal health information. Without a named privacy officer to assume the responsibility to implement and monitor reasonable administrative, technical, and physical safeguards you are more likely to experience privacy and security incidents, privacy breaches, investigations, fines, and charges under the privacy legislation!

Case Studies: Real-world Implications of Privacy Officer Absence

In 2019, the British Columbia Office of the Information and Privacy Commissioner (OIPC) conducted a privacy audit of 22 medical clinics. OIPC auditors examined 22 clinics and found gaps in privacy management programs at several clinics, including the absence of a designated privacy officer, a lack of funding and resources for privacy and a failure to ensure that privacy practices keep up with technological advances.

Here’s another example. A complaint was made against a medical clinic with an employee suspected of accessing health information for an unauthorized purpose. The Alberta OIPC investigated and revealed confusion around the roles and responsibilities of privacy compliance among the custodians and the privacy officer. The OIPC determined that the custodian was in contravention of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to the all of the custodian’s administrative, technical, and physical safeguards with respect to health information. 

Say No to Snooping: The Need for Privacy Enforcement

Employees are not aware of privacy requirements and engage in snooping into personal health information. Consequences of employee snooping include firing, charges under the Health Information Act and court ordered fines, jail time, probation, community service and more.

say not so snooping animation of thief taking papers from folder

Roles and Responsibilities of a Healthcare Privacy Officer

So, what does a privacy officer do? The roles and responsibilities of a privacy officer in a typical healthcare practices include the following:

  • Identify privacy compliance issues for the business.
  • Ensure privacy and security policies and procedures are developed and keep them up to date.
  • Ensure that everyone working at your clinic and your vendors are aware of their privacy obligations.
  • Monitor your clinic’s ongoing compliance with privacy legislation like the Health Information Act (HIA) in Alberta.
  • Provide advice and interpretation of related legislation for the business.
  • Respond to requests for access and corrections to personal information.
  • Ensure the security and protection of personal information in the custody or control of the business.
  • Act as the primary point of privacy and access contact for staff, patients, vendors, regulators and other stakeholders.
 

Introducing Practical Privacy Office Strategies Training

I want to help you become a confident healthcare privacy officer. And a guide (or a Jeannie ) to help you is a good thing.

Practical Privacy Officer Strategies will help you to assess your current PIA and privacy management program and plan your privacy compliance activities for the next year!

Practical Privacy Officer Strategies will help you to assess your current PIA and privacy management program and plan your privacy compliance activities for the next year!
5 Modules with Live 1-hour training and on-line mentoring will help you to build systems to monitor the routine tasks that will protect privacy and alert you to potential problems before they become privacy and security incidents.
 
How the training will be delivered:
  • Pre-recorded core training in each of the 5 modules. You watch the 1 hour video before the live coaching call.
  • Live 1 hour coaching call with practical case study, discussion, and accountability in each of the 5 modules.
  • Actionable plan with templates, tools, and resources to use what you learned.
  • Every module includes both WHY you need the information and HOW you should use the information.
 
Find Out More!
If You Collect PHI, You Need a Data Inventory

If You Collect PHI, You Need a Data Inventory

If You Collect PHI, You Need a Data Inventory

You Can’t Safeguard What You Can’t Find

Do you know where all the personal health information (PHI) in your practice lives?

When you collect PHI, you are responsible to ensure the security, privacy, and confidentiality of that information. The first step is knowing where the PHI resides.

A data inventory is a foundational privacy and security tool. It is a detailed list of all the PHI that you collect, what data is included, where it is kept, and who has access to it.

A well-maintained data inventory supports informed decisions about budgeting, risk analysis, and incident response. If you don’t have a data inventory yet, use these tips to help you prepare one now. An annual review is an expected reasonable safeguard to protect PHI and stay compliant.

Why Custodians Need a Complete Picture of PHI Locations

When a healthcare provider collects PHI, they take on an explicit responsibility to the individual who shared their information. Patients trust you with their sensitive data—and you must demonstrate that you will respect and protect it.

Reasonable safeguards are not just good practice—they are mandated by professional standards and provincial privacy legislation such as Alberta’s Health Information Act (HIA) and Ontario’s Personal Health Information Protection Act (PHIPA).

The healthcare provider (sometimes called a custodian) is ultimately responsible for the safekeeping of PHI. Their privacy officer often is responsible to ensure that privacy and security documentation is up to date and communicated throughout the organization.

PHI doesn’t only exist in your EMR. It lives in many places, such as:

  • Electronic Medical Records (EMRs)
  • Billing systems
  • Email inboxes
  • Paper records
  • Third-party apps (e.g., transcription, booking tools)
  • Staff smartphones (texts, voicemails, photos)

Remember: If you don’t know where it is, you can’t protect it—and you certainly can’t include it in your breach response plan.

Your Data Inventory: The “No Data Left Behind” Checklist

 

A data inventory doesn’t have to be complicated. Include members of your care team and admin support as you build this list. Start with this simple framework:

A. Identify All Systems and Locations

List all the places where PHI is stored, whether short-term or long-term:

• EMR or practice management system
• Billing submissions (e.g., provincial insurance, private insurance, patient payments)
• Medical devices (e.g., ECG machines, dental imaging)
• Scanners, fax machines, copiers
• Email systems
• Cloud storage (e.g., Google Drive, Dropbox)
• Staff’s personal devices (if BYOD)
• Third-party service providers
• Archived/off-site backups
• Paper charts and historical records

B. Track Who Has Access

For each location, identify who has access:

• Internal staff (by role or function)
• IT support
• Contracted vendors (e.g., EMR vendors, managed service providers, billing services, transcriptionists)
• Consultants
• Software integrations

C. Review What Kind of Data Is Stored

Be detailed and include data elements for each category:

• Demographic data
• Clinical notes
• Referrals
• Lab results, diagnostic images
• Billing or insurance information
• Communication records (e.g., emails, messages, voicemails)

D. Record How Long You Need to Keep It

Know your legal and professional patient records retention requirements:

• Generally: 10 years past the last contact, or 10 years after the patient reaches the age of majority.
• Be cautious: deleting data too soon or holding on to it too long can both carry risk.

Annual Inventory Review: Contracts and Data Access Change

Things change—vendors go out of business, new platforms are introduced, and team members come and go. That’s why an annual review is essential.

Use this opportunity to:

• Update your list of active software and service providers
• Review and confirm that vendor contracts include proper privacy safeguards (e.g., Information Management Agreements)
• Remove access from former employees and terminated accounts
• Re-assess your data flow maps and user permissions

A current, complete inventory is also essential for PIAs (Privacy Impact Assessments), risk assessments, and effective breach response.

Bonus Tip: Get Your Team Involved

Your staff may know about data sources you’ve forgotten—like a temporary tool used during vacation coverage or a shared spreadsheet with legacy data.

Include your team in the conversation:

  • Host a “Where is our data?” lunch-and-learn or team meeting
  • Use privacy awareness week as a trigger to review and update your inventory
  • Encourage a culture of shared responsibility for PHI protection

It’s Time to Create Your Data Inventory

You can’t safeguard what you can’t see. Now is the perfect time to create—or update—your clinic’s data inventory.

Need help getting started? Join our Practice Management Success Membership for templates, training, and step-by-step guidance. You’ll gain access to practical tools that support your privacy compliance every day.

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

Thinking About Using AI Scribe in Your Healthcare Practice?

Thinking About Using AI Scribe in Your Healthcare Practice?

Thinking About Using AI Scribe

What is AI?

AI (artificial intelligence) is an advanced form of information processing to help automate or enhance tasks. In healthcare, AI doesn’t replace providers—it supports them. Clinicians still need to guide its use, review outputs, and make informed decisions.

AI tools typically involve hardware, software, and your data. Even common tools like Microsoft Copilot or ChatGPT rely on this structure. In healthcare, you are often purchasing software and applying it to your patient data—so privacy and transparency are critical.

What Is AI Scribe?

“AI Scribe” is a broad term for tools that help generate clinical notes. Common workflows include:

  • Dictation: The provider speaks, and AI formats the note.
  • Live Listening: The AI listens during a patient visit and drafts the note based on the conversation.

Some advanced tools go further—analyzing lab trends, suggesting diagnoses, or reminding providers about follow-ups. For example, an AI integrated into your EMR may prompt you to include trending lab values in the note.

The AI can “listen” to the patient encounter and summarize it, preparing a draft clinic note for the provider to review.

What Are the Benefits?

AI scribe tools can reduce documentation time by up to 40%, allowing for:

  • Less administrative burden
  • More time with patients
  • Reduced provider burnout

Supporting data:

  • Ontario’s Ministry of Health reports significant time savings.
  • Canada Health Infoway highlights administrative efficiency gains.
  • Alberta’s OIPC HIA Engagement Survey (2024) found public support—with a strong emphasis on transparency.

Do You Need Patient Consent?

Some technology providers argue that patient consent isn’t required—just like we don’t ask patients to approve our use of an EMR system. However, informing patients is essential, especially if the AI listens to or analyzes conversations.

For example, if the provider speaks observations aloud (e.g., “You appear pale and sweaty”) for the AI to capture, patients should understand that this is part of the documentation process.

Inform Patients When We Use AI Tools

As part of your AI implementation plan, consider how you will inform individuals. You might use:

  • A poster in the clinic
  • A verbal explanation at the visit start
  • A statement in your privacy notice

The key is to make a thoughtful, documented decision—and apply it consistently.
Your risk assessment and associated policies will form the foundation of your Privacy Impact Assessment (PIA).

Implementation: It’s Not Plug and Play

AI tools require careful planning. Follow these steps to support successful implementation:

  1. Understand Your Workflow – Know what works and what needs improvement.
  2. Benchmark – Collect data to measure impact.
  3. Choose a Vendor – Use Canada Health Infoway’s pre-qualified vendor list (https://aiscribe.infoway-inforoute.ca).
  4. Do a Risk Assessment & PIA – Ensure compliance with privacy legislation.
  5. Start Small – Pilot the tool first before full rollout.
  6. Analyze Results – Check what’s working.
  7. Roll Out Broadly – Expand based on success.
  8. Monitor Continuously – Evaluate, adjust, and improve as needed.

Who Benefits Most From AI Scribe?

According to the eHealth Centre of Excellence, family physicians and primary care providers benefit most—especially those not already using dictation tools. AI scribe tools are ideal for routine, episodic care with clear documentation needs.

Funding Opportunity

Canada Health Infoway is offering one-year fully funded one-year licenses for eligible primary care providers across Canada including:

  • Family physicians
  • Nurse practitioners
  • Nurses in remote communities
  • Pediatricians providing community-based care

Visit (https://aiscribe.infoway-inforoute.ca) to register for updates and eligibility notifications.

Final Thoughts

AI scribe tools aren’t one-size-fits-all. But with thoughtful planning, clear communication, and proper implementation, the benefits can be significant: more efficient workflows, improved care, and reduced clinician burnout. This improves patient access to healthcare, too!

Need help getting started with your AI privacy and implementation plan?

Practice Management Success members have access to additional tools, including:

  • AI Privacy Checklists
  • Sample Risk Assessments
  • On-demand Q and A with Jean replays:
    • AI in Healthcare – AB Engagement Survey (Mar 11, 2025)
    • AI Implementation Toolkit (Nov 12, 2024)
    • Is AI the Right Choice for Your Clinic? Key Questions Before Using AI Transcription Tools (Jul 9, 2024)

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

Why You Need Policies and Procedures

Why You Need Policies and Procedures

 

Why You Need Health Information Policies and Procedures

Maybe you’ve heard you need written policies and procedures for your health information, but you’re left asking yourself why it’s so important?

The truth is, without written policies and procedures, you open a healthcare practice up to a whole host of problems, including major legal issues.

In fact, every business needs good practices that apply to your:

  • Information that you collect from patients/clients
  • Website
  • Email
  • Business practices including electronic (or paper) patient records, and computer network
  • Financial information
  • Billing, collection, and payment processing

Within the healthcare industry, there are additional legislation requirements that require specific written health information policies and procedures.

The Health Information Act (HIA) and the Personal Information Privacy Act (PIPA)

As we mentioned, when a custodian collects health information, you must follow the Health Information Act (HIA) in Alberta.

Like most other private businesses in Alberta, private healthcare practices must also comply with the Personal Information Privacy Act (PIPA).

The colleges of regulated health professionals (like the Alberta Dental Association and College (ADAC) and the College of Physicians and Surgeons of Alberta (CPSA), require dentists and physicians to meet the standards of practice which includes compliance to HIA and PIPA legislation.

In addition, the college has other standards of practice that you must meet, including policies and procedures for the collection, use, disclosure, and access of health information.

So, let’s explore further why written policies and procedures are so essential, as well as what can happen without them, and why healthcare practices may not think they need them in the first place.

Benefits of Policies and Procedures

One of the most critical benefits of having policies and procedures in place is that they’re good for business.

Here’s how:

  • They contribute to consistent, efficient workflow.
  • You can figure it out once, write the procedure, tweak it to make it better, and then repeat the same procedure again and again.
  • They help you make better business decisions, like buying supplies, choosing services, and selecting vendors.
  • They help support your accreditation efforts.
  • On-boarding employees the right way with no missed steps is much easier with policies and procedures in place.

If you’re looking for even more proof of the benefits of having written procedures, it can also help you avoid:

  • Internal disputes within your team and external disputes with your patients and clients
  • Re-work and re-training employees
  • Poor customer service
  • Poor reputation
  • Fines and penalties

Fines And Penalties For Not Having Written Policies And Procedures

You might be wondering why you would face fines and penalties for not having written policies and procedures in the first place.

The HIA requires the custodian – which includes the physician, pharmacist, dentist or dental hygienist – to take reasonable safeguards to protect the privacy and confidentiality of patients’ health information.

Having written policies and procedures is a common, expected, and reasonable safeguard.

Let’s say you have a privacy breach in your practice or an error (like sending a fax to the wrong number or you are a victim of a phishing or ransomware attack).

You can learn more about what makes a privacy breach a privacy breach here.

If you can’t demonstrate that you had the appropriate reasonable safeguards, like written policies and procedures in place, you are guilty of an offence under the law.

It’s illegal not to have policies and procedures when you collect health information.

If you are guilty of this offence, you are liable for a fine of a minimum of $2,000 and not more than $500,000. (HIA section 107(7)).

3 Policies and Procedures Myths

One reason some healthcare practices fail to have written policies and procedures is because they believe they don’t need them.

Often, this is because they’ve fallen prey to the common myths about policies and procedures.

There are 3 of the common myths that stop healthcare providers and their clinic managers from creating written policies and procedures:

  1. It’s Too Hard

While it does take some skill to write clear, easy to read, and easy to understand policies and procedures, it doesn’t have to be heard. In fact, you can even purchase templates to make this easier.

  1. It Takes Too Much Time

Writing policies and procedures does take some time.

But investing the time to create policies and procedures pays off by preventing suffering from inconsistent or broken procedures, using or disclosing health information in error, and having to pay fines, penalties, public relations nightmares, or spending the time required to run a privacy or security investigation.

  1. It’s A Waste Of Time

Here are a few good reasons that prove writing policies and procedures is not a waste of time:

  • Practical privacy policies and procedures will create a more efficient practice and help you make better business decisions.
  • The policies and procedures become the foundation of your privacy impact assessment.
  • Policies and procedures are pre-requisites for other initiatives, like access to Netcare or other community integration initiatives, and privacy impact assessment (PIA). Click here to learn more about PIAs.
  • You must have them as part of your legislative compliance.
  • It’s the law. Not having policies and procedures regarding the collection, use, disclosure, and access of health information is illegal.

As you can see, written policies and procedures help ensure consistent office procedures and good communication between team members in your healthcare practice.

In addition to those good reasons, you must have good written policies and procedures about how you collect, use, disclose, and provide access to health information to avoid legal problems, fees, penalties, and other problems.

 

Not Sure Which Policies and Procedures That You Need?

Show Me Policy And Procedure Checklist
 

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies and Procedures Are? 

Privacy Impact Assessments (PIA)

Policy and Procedure Checklist book image
Leaving a Group Practice? Know Your Responsibilities for Patient Records

Leaving a Group Practice? Know Your Responsibilities for Patient Records

 

Leaving a Group Practice? Know Your Responsibilities for Patient Records

You’ve been part of a group practice for some time.

Now, you’re preparing to open your own clinic, relocate to another area, or step away from practice altogether. Whatever your next move, it’s important to understand your responsibilities when it comes to patient health records.

Here’s what you need to know to leave well—and stay compliant.

Understanding Your Rights and Responsibilities

When you leave a group practice, you still have important obligations tied to patient records. These include:

  • Record access, security, and retention – You’re responsible for the health records you’ve collected while in practice.
  • Right of continuing access – You have the right to access the records of patients you’ve cared for, even after leaving, to respond to inquiries for access, disclosure, complaints, or investigations.
  • Continuity of care – You’re responsible for ensuring appropriate access to patient records to support ongoing care.
  • Duty to inform – Patients should be made aware of your departure and how their records will be managed.
  • Respect existing agreements – This includes any contracts or group practice policies in place, such as Information Management Agreements (IMAs) or Information Sharing Agreements (ISAs).

Resources to Guide You

Before finalizing your departure, review the following documents and standards:

  • Your contract – especially termination clauses
  • Information Management Agreements (IMAs) – with both the group practice and EMR providers
  • Information Sharing Agreements (ISAs)
  • Privacy and security policies – especially those related to closing or relocating a practice
  • Professional college standards – around recordkeeping and patient notification
  • Provincial health privacy legislation – such as Alberta’s Health Information Act or Ontario’s PHIPA

These documents can help clarify who retains custody of the records, what access rights you have, and how to ensure continuity of care for your patients.

What Are Your Plans?

Your responsibilities will vary depending on your next step:
If You’re Relocating (and Patients May Follow)
You may want to request a copy of relevant patient records for continuity of care. To do this:

  • Review your IMA – Is there a cost to receive a copy of your patient records?
  • Talk to your EMR vendor – Is data export or transfer supported? What is the cost?
  • Ensure data quality assurance – Will the records be intact and complete?
  • Prepare a new Privacy Impact Assessment (PIA) for your new location, including data migration

If You’re Leaving Practice or Relocating Far Away
You may choose to leave records with the current group practice. In that case:

  • Make sure you have a written agreement outlining who is responsible for access, storage, and disclosures.
  • Update your IMA to authorize the group to manage patient inquiries on your behalf.
  • Keep in touch with group practice so that they can reach you in case you’re needed to support access to patient records or respond to complaints. You also want to know if the group practice changes significantly.
  • Don’t abandon your records. Even if you’re no longer practicing, you’re still responsible for their safekeeping

The group practice must also agree to manage your patient records on your behalf. Don’t make assumptions—get it in writing!

It Takes Time

It takes time

You didn’t start your practice overnight. It will take time to successfully plan and implement the transition of patient records when you leave the group practice.

Leaving a group practice is a significant professional step—and handling patient records properly is part of doing it right.

With the right planning, communication, and documentation, you can support your patients, protect yourself, and move forward with peace of mind.

Want Extra Support To Navigate Your Transition?

These resources include practical templates, checklists, and expert guidance to help you leave your current practice confidently and in compliance.

✅ Download the Practice Management Success Tips – Closing or Moving Your Healthcare Practice

✅ Get your copy of The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)