Why You Need Policies and Procedures

Why You Need Health Information Policies and Procedures

Maybe you’ve heard you need written policies and procedures for your health information, but you’re left asking yourself why it’s so important?

The truth is, without written policies and procedures, you open a healthcare practice up to a whole host of problems, including major legal issues.

In fact, every business needs good practices that apply to your:

Information that you collect from patients/clients
Website
Email
Business practices including electronic (or paper) patient records, and computer network
Financial information
Billing, collection, and payment processing

Within the healthcare industry, there are additional legislation requirements that require specific written health information policies and procedures.

The Health Information Act (HIA) and the Personal Information Privacy Act (PIPA)

As we mentioned, when a custodian collects health information, you must follow the Health Information Act (HIA) in Alberta.

Like most other private businesses in Alberta, private healthcare practices must also comply with the Personal Information Privacy Act (PIPA).

The colleges of regulated health professionals (like the Alberta Dental Association and College (ADAC) and the College of Physicians and Surgeons of Alberta (CPSA), require dentists and physicians to meet the standards of practice which includes compliance to HIA and PIPA legislation.

In addition, the college has other standards of practice that you must meet, including policies and procedures for the collection, use, disclosure, and access of health information.

So, let’s explore further why written policies and procedures are so essential, as well as what can happen without them, and why healthcare practices may not think they need them in the first place.

Benefits of Policies and Procedures

One of the most critical benefits of having policies and procedures in place is that they’re good for business.

Here’s how:

They contribute to consistent, efficient workflow.
You can figure it out once, write the procedure, tweak it to make it better, and then repeat the same procedure again and again.
They help you make better business decisions, like buying supplies, choosing services, and selecting vendors.
They help support your accreditation efforts.
On-boarding employees the right way with no missed steps is much easier with policies and procedures in place.

If you’re looking for even more proof of the benefits of having written procedures, it can also help you avoid:

Internal disputes within your team and external disputes with your patients and clients
Re-work and re-training employees
Poor customer service
Poor reputation
Fines and penalties

Fines And Penalties For Not Having Written Policies And Procedures

You might be wondering why you would face fines and penalties for not having written policies and procedures in the first place.

The HIA requires the custodian – which includes the physician, pharmacist, dentist or dental hygienist – to take reasonable safeguards to protect the privacy and confidentiality of patients’ health information.

Having written policies and procedures is a common, expected, and reasonable safeguard.

Let’s say you have a privacy breach in your practice or an error (like sending a fax to the wrong number or you are a victim of a phishing or ransomware attack).

You can learn more about what makes a privacy breach a privacy breach here.

If you can’t demonstrate that you had the appropriate reasonable safeguards, like written policies and procedures in place, you are guilty of an offence under the law.

It’s illegal not to have policies and procedures when you collect health information.

If you are guilty of this offence, you are liable for a fine of a minimum of $2,000 and not more than $500,000. (HIA section 107(7)).

3 Policies and Procedures Myths

One reason some healthcare practices fail to have written policies and procedures is because they believe they don’t need them.

Often, this is because they’ve fallen prey to the common myths about policies and procedures.

There are 3 of the common myths that stop healthcare providers and their clinic managers from creating written policies and procedures:

It’s Too Hard

While it does take some skill to write clear, easy to read, and easy to understand policies and procedures, it doesn’t have to be heard. In fact, you can even purchase templates to make this easier.

It Takes Too Much Time

Writing policies and procedures does take some time.

But investing the time to create policies and procedures pays off by preventing suffering from inconsistent or broken procedures, using or disclosing health information in error, and having to pay fines, penalties, public relations nightmares, or spending the time required to run a privacy or security investigation.

It’s A Waste Of Time

Here are a few good reasons that prove writing policies and procedures is not a waste of time:

Practical privacy policies and procedures will create a more efficient practice and help you make better business decisions.
The policies and procedures become the foundation of your privacy impact assessment.
Policies and procedures are pre-requisites for other initiatives, like access to Netcare or other community integration initiatives, and privacy impact assessment (PIA). Click here to learn more about PIAs.
You must have them as part of your legislative compliance.
It’s the law. Not having policies and procedures regarding the collection, use, disclosure, and access of health information is illegal.

As you can see, written policies and procedures help ensure consistent office procedures and good communication between team members in your healthcare practice.

In addition to those good reasons, you must have good written policies and procedures about how you collect, use, disclose, and provide access to health information to avoid legal problems, fees, penalties, and other problems.

Not Sure Which Policies and Procedures That You Need?

Show Me Policy And Procedure Checklist

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies and Procedures Are?

Privacy Impact Assessments (PIA)

Policy and Procedure Checklist book image

Leaving a Group Practice? Know Your Responsibilities for Patient Records

You’ve been part of a group practice for some time.

Now, you’re preparing to open your own clinic, relocate to another area, or step away from practice altogether. Whatever your next move, it’s important to understand your responsibilities when it comes to patient health records.

Here’s what you need to know to leave well—and stay compliant.

Understanding Your Rights and Responsibilities

When you leave a group practice, you still have important obligations tied to patient records. These include:

Record access, security, and retention – You’re responsible for the health records you’ve collected while in practice.
Right of continuing access – You have the right to access the records of patients you’ve cared for, even after leaving, to respond to inquiries for access, disclosure, complaints, or investigations.
Continuity of care – You’re responsible for ensuring appropriate access to patient records to support ongoing care.
Duty to inform – Patients should be made aware of your departure and how their records will be managed.
Respect existing agreements – This includes any contracts or group practice policies in place, such as Information Management Agreements (IMAs) or Information Sharing Agreements (ISAs).

Resources to Guide You

Before finalizing your departure, review the following documents and standards:

Your contract – especially termination clauses
Information Management Agreements (IMAs) – with both the group practice and EMR providers
Information Sharing Agreements (ISAs)
Privacy and security policies – especially those related to closing or relocating a practice
Professional college standards – around recordkeeping and patient notification
Provincial health privacy legislation – such as Alberta’s Health Information Act or Ontario’s PHIPA

These documents can help clarify who retains custody of the records, what access rights you have, and how to ensure continuity of care for your patients.

What Are Your Plans?

Your responsibilities will vary depending on your next step:
If You’re Relocating (and Patients May Follow)
You may want to request a copy of relevant patient records for continuity of care. To do this:

Review your IMA – Is there a cost to receive a copy of your patient records?
Talk to your EMR vendor – Is data export or transfer supported? What is the cost?
Ensure data quality assurance – Will the records be intact and complete?
Prepare a new Privacy Impact Assessment (PIA) for your new location, including data migration

If You’re Leaving Practice or Relocating Far Away
You may choose to leave records with the current group practice. In that case:

Make sure you have a written agreement outlining who is responsible for access, storage, and disclosures.
Update your IMA to authorize the group to manage patient inquiries on your behalf.
Keep in touch with group practice so that they can reach you in case you’re needed to support access to patient records or respond to complaints. You also want to know if the group practice changes significantly.
Don’t abandon your records. Even if you’re no longer practicing, you’re still responsible for their safekeeping

The group practice must also agree to manage your patient records on your behalf. Don’t make assumptions—get it in writing!

It Takes Time

It takes time

You didn’t start your practice overnight. It will take time to successfully plan and implement the transition of patient records when you leave the group practice.

Leaving a group practice is a significant professional step—and handling patient records properly is part of doing it right.

With the right planning, communication, and documentation, you can support your patients, protect yourself, and move forward with peace of mind.

Want Extra Support To Navigate Your Transition?

These resources include practical templates, checklists, and expert guidance to help you leave your current practice confidently and in compliance.

✅ Download the Practice Management Success Tips – Closing or Moving Your Healthcare Practice

✅ Get your copy of The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

Privacy Principles Applies After Death

Are your staff looking at medical records when they shouldn’t be?

Many people have the mistaken impression they can look at a patient’s medical records as long as they don’t tell anyone else.

It’s not okay.

We continue to see examples of snooping where both seasoned and new healthcare providers and support staff don’t realize that looking at patient’s health information—even with good intentions—is a serious privacy violation.

As privacy lawyer Kate Dewhirst puts it

Privacy = Don’t look
Confidentiality = Don’t tell

Despite years of experience, many healthcare professionals still need a refresher on the basics. Privacy awareness training remains essential.

In this article, I am sharing an example of the Ontario’s Information Privacy Commissioner (IPC). This case involves a privacy complaint submitted by the family of a deceased individual. It’s a good reminder that whether you’re running a brand-new clinic or managing an established practice, it’s critical to understand your legal responsibilities and have systems in place to protect patient information.

What Happened

In 2014, a physician accessed a deceased patient’s health records while acting in his role as a coroner. The patient was also a family member. Soon after, the family alleged that the physician continued to access the individual’s personal health information (PHI) contrary to Ontario’s Personal Health Information Protection Act (PHIPA).

The family submitted a complaint to the hospital. Initially, the hospital’s response did not satisfy the family. The family filed a complaint to the Information and Privacy Commissioner (IPC) of Ontario.

The IPC started a complaint investigation.

privacy principles after death privacy breach incident scenario diagram

Privacy Complaint Investigation

Under PHIPA, the hospital is a health information custodian and the physician is an agent of the hospital.

During the IPC investigation, the physician admitted he “accessed the health information in response to his concern about the individual’s well-being.”

“I know now that proceeding in this way was misguided and wrong.” He would never disclose the information to anyone; that would be a violation of patient privacy and a breach of doctor – patient confidentiality.

He acknowledged he misunderstood the difference between:

• Privacy: The general right of every individual (living or deceased) to limit access to their health information.
• Confidentiality: The duty to not share that information once accessed.
• Circle of care / Need to know: You must only access information required to provide care at that moment.

4 Step Response Plan

When you have a privacy breach, follow these four steps to manage the privacy breach incident.

Step 1 – Spot and Stop the Breach

The family’s complaint prompted the hospital to begin the first step to spot and stop the breach.

Step 2 – Evaluate the Risks

An initial risk assessment was conducted, and after the IPC got involved, the hospital re-opened the investigation. They completed a comprehensive review and used audit log reporting tools to trace access.

Step 3 – Notify

The hospital eventually informed the family of the privacy breach—but the notification wasn’t timely. A more thorough and timely response could have helped address the family’s concerns more effectively.

Step 4 – Prevent the Breach From Happening Again

Following the breach, the hospital implemented several improvements:

Introduced a new auditing program that enhances its ability to detect unauthorized access.
Updated its Privacy and Confidentiality Policy, which applies to all agents of the hospital.
Launched mandatory annual electronic privacy training program for all staff, volunteers and learners. Physicians must complete this training as part of the annual reappointment process.
Strengthened the privacy warning on its electronic system, which warns users that unauthorized use of personal health information may result in disciplinary action.

privacy principles after death sanctions

The hospital’s Medical Advisory Committee also recommended disciplinary actions:

A three-month suspension of the physician’s hospital privileges
Three years of enhanced monitoring of his access to patient records
A requirement to present at Grand Rounds on privacy topics upon his return

The IPC concluded that the disciplinary consequences for the physician were sufficient in the circumstances.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. Here’s how you can be proactive to prevent privacy breach pain.

Go beyond policies—model good practices
Use real-life examples in staff meetings
Incorporate gamification and ongoing discussions to engage your team

Privacy awareness is everyone’s responsibility. Make sure your staff know what’s expected, what’s at risk, and what to do if something goes wrong.

If you need to start or update your privacy awareness training program, check out the on-line education Privacy Awareness in Healthcare: Essentials.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget’ to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

References and Resources

Dewhirst, Kate. After Death: Who Can Access The Records Of A Patient After Death? May 7, 2019. https://katedewhirst.com/blog/2019/05/07/after-death-who-can-access-the-records-of-a-patient-after-death/

Ontario Information and Privacy Commissioner IPC Investigation Report PHIPA DECISION 74 HC15-4 Sault Area Hospital August 10, 2018.

Does AI Take Your Data? AI and Data Privacy

Generative AI, including platforms like ChatGPT, DALL-E, Google Gemini, Apple Intelligence, has revolutionized our relationship with technology. Maybe these tools have completely changed how you work and engage with the internet. There seems to be endless ways to use these platforms, many of which are called large language models (LLMs). These chatbots can assist with brainstorming, writing, and even coding—but they also can be significant risks when used carelessly. One of the biggest concerns? Employees inadvertently exposing sensitive company information.

The National Cybersecurity Alliance 2024 Oh Behave report found that 65% of us are concerned about AI-related cybercrime, and most people (55%) haven’t received any training about using AI securely. For AI Fools Week, let’s change that! #AIFools

First and foremost, when you’re using an AI tool, think about what you’re sharing and how it could be used.

Generative AI

Think intelligent about AI

AI models process and store data differently than traditional software. Public AI platforms often retain input data for training purposes, meaning that anything you share could be used to refine future responses—or worse, inadvertently exposed to other users.

Here are the major risks of entering sensitive data into public AI platforms:

Exposure of private company data – Proprietary company data, such as project details, strategies, software code, and unpublished research, could be retained and influence future AI outputs.

Confidential customer information – Personal data or client records should never be entered, as this could lead to privacy violations and legal repercussions.

Many AI platforms allow you to toggle off the use of what you enter for training data, but you shouldn’t trust that as an ultimate failsafe. Think of AI platforms as social media: if you wouldn’t post it, don’t enter it into AI.

Check Before You Use AI At Work

Before integrating AI tools into your workflow, take these critical steps:

Review company AI policies – Many organizations now have policies governing AI use. Check whether your company allows employees to use AI and under what conditions.
See if your company has a private AI platform – Many businesses, especially large corporations, now have internal AI tools that offer greater security and prevent data from being shared with third-party services.
Understand data retention and privacy policies – If you use public AI platforms, review their terms of service to understand how your data is stored and used. Specifically look at their data retention and data use policies.

How To Protect Your Data While Using AI

If you’re going to use AI, use it safely!

Stick to secure, company-approved AI tools at work – If your organization provides an internal AI solution, use it instead of public alternatives. If your workplace isn’t there yet, check with your supervisor about what you should do.
Think before you click – Treat AI interactions like public forums. Don’t enter information into a chatbot if you wouldn’t share it in a press release or post it on social media.
Use vague or generic inputs – Instead of inputting confidential information, use general, nonspecific questions as your prompt.
Protect your AI account with strong passwords and MFA – Protect your AI accounts like all your other ones: use a unique, complex, and long password (at least 16 characters). Enable multi-factor authentication (MFA), which will add another solid layer of protection.

Increase your AI IQ

Generative AI is powerful! But you are wise. Use AI intelligently, especially when sensitive data is involved. By being mindful of what you share, following company policies, and prioritizing security, you can benefit from AI without putting your company at risk.

You May Also Be Interested In

Is AI the Right Fit for Your Clinic? Key Considerations Before You Implement

Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information

Medical Secretary Fined for Unauthorized Access And Disclosure

Privacy Breach Nugget
Ever wonder how privacy breaches happen—and what you can do to stop them? Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s unpack today’s case and explore what went wrong, what worked, and how you can apply these insights to protect patient information.

What Happened

In 2020, a medical secretary working at the University of Alberta Hospital in Edmonton, Alberta, accessed the health information of 17 individuals without any legitimate job-related reason.

The individuals whose information was accessed had personal relationships with the secretary. She went a step further by disclosing sensitive health information about two of them—including infectious disease details—to others who had no reason to know this information.

One of the individuals experienced harassment through text messages as a direct result of this disclosure.

Managing the Breach

The management of the privacy breach can be examined using the 4 Step Response Plan.

unauthorized breach

Step 1 – Spot and Stop

When a privacy incident is suspected, the first priority is to stop the unauthorized access. It would be appropriate to immediately suspend the employee’s access to health information systems like ConnectCare and Netcare.

If you suspect a privacy breach, don’t wait—report it to your Privacy Officer and Custodian right away.

Step 2 – Investigate

Alberta Health Services (AHS) completed an internal investigation including auditing the employee’s system activity.

The investigation assessed the “real risk of significant harm” (RROSH). This case is a stark reminder of how improper access and disclosure of health information can lead to serious harm.

Step 3 – Notify

In Alberta, custodians like physicians and healthcare organizations are legally required to notify:

• The Office of the Information and Privacy Commissioner (OIPC). (See Guide to Reporting Privacy Breaches)
• The Alberta Minister of Health.
• The affected patients whose personal health information was improperly accessed or disclosed.

Additional notifications may include law enforcement, insurers, or other stakeholders depending on the situation.

Step 4 –Prevent the Breach from Happening Again

Proactive prevention is key to prevent breaches like this. Here’s how:

• Conduct regular privacy training to keep privacy awareness top of mind.
• Maintain a privacy incident log to spot trends and address recurring issues.
• Implement and enforce privacy-monitoring practices to detect and deter snooping.

Diane McLeod, Alberta’s Privacy Commissioner, highlighted an “alarming rise” in snooping incidents in health information systems. The OIPC’s 2023-2024 Annual Report revealed 14 potential breaches of the Health Information Act investigated by the Commissioner’s office, with hundreds more reported.

Commissioner’s Investigation

The OIPC has implemented a process to focus on high-priority breaches. Following its investigation, the Commissioner recommended charges under the Health Information Act (HIA).

Court’s Decision

In February 2025, the court sentenced the medical secretary, Kayla Satre, to a $2,000 fine for unauthorized access to health information, violating the HIA.

However, the Crown Attorney withdrew charges related to the unauthorized disclosure of health information.

Take-Aways

Snooping is the unauthorized access to health information. This remains a persistent issue in healthcare. Here’s what you can do:

• Educate and remind your team regularly about the importance of patient privacy.
• Monitor system access proactively to detect and stop unauthorized activity.
• Share real-world examples like this one to drive home the importance of privacy compliance.

Protecting patient information isn’t just about compliance—it’s about trust. Share this example with your team and make privacy a daily priority!

Reference and Resources

Office of the Information and Privacy Commissioner of Alberta. Former Alberta Health Services employee fined for unauthorized disclosure of health information, February 6, 2025. https://oipc.ab.ca/former-alberta-health-services-employee-fined-for-unauthorized-disclosure-of-health-information/

You May Also Be Interested In

3rd Largest Fine Ever Under the HIA – Blog post on the unauthorized use of health information that led to costly fines

Practical Privacy Officer Strategies – Training for clinic manages and privacy officers includes how to respond to a privacy breach and prevention strategies.
Tips to Prevent Employee Snooping – A Key Component of Your Privacy Practice Management Program: A Hands-On Guide to Protect Your Healthcare Practice from Privacy Beaches

3 Parts to Every Privacy Awareness Training Plan

Reasonable Safeguards – the Myth

You may have heard the myth that the Health Information Act (HIA) is a big scary thing that will interrupt your routine, rob you of countless billable hours, impact all of your staff, turn your office inside out, and change the way that you run your entire business!

Myth Buster

The HIA provides structure and framework for reasonable safeguards that apply to any healthcare business.

One of the requirements of reasonable safeguards includes having a privacy awareness training plan.

Click the >> arrow to play the video

Privacy Awareness Training

Your Privacy Awareness Training Plan should include learning objectives throughout the year, including

Orientation – Standardized training curriculum provided to everyone in you healthcare practice at the time of employment. This is often included during a new employee’s orientation period.
Specific – Privacy training that is more detailed and specific to the roles and responsibilities of that individual’s job in your healthcare practice. There may also be specific training when new software, technology, or procedures are introduced anytime throughout the employment.
Reward – Keep privacy awareness top of mind all year long. Recognize and reward when individuals follow privacy principles that also add value to your client satisfaction or business efficiency.

It is reasonable to expect regular privacy awareness training, especially at orientation, and a formal review annually.

What a Privacy Awareness Training Plan Can Do For You

When you implement regular privacy awareness training, you will see:

Privacy and security expectations clearly communicated among your team.
Team members demonstrate their commitment to privacy, confidentiality, security of personal health information.
Efficient practices that protect the privacy and save you time and money
Team members confidently and correctly handle personal health information using reasonable safeguards

Are You a Myth-Buster?

You can be a myth-buster, too, and implement privacy awareness training in your healthcare practice.

You can easily implement reasonable safeguards and meet HIA requirements to ensure privacy, confidentiality, and security of health information that saves you time, frustration and money.

If you need a little help, I have written a practical privacy awareness training course designed for the community health care practice. This is ideal for orientation of new employees and a refresher for the rest of us.

Privacy Awareness in Healthcare: Essentials

Understand basic health care privacy principles and how to handle personal information, use safeguards, and recognize and report a privacy breach.

Ideal for community-based health care professionals and staff, direct care providers, or anyone working with a health care, dental, or social services organization.

An effective privacy compliance program promotes organizational adherence to the Health Information Act (HIA), Personal Information Protection Act (PIPA) Alberta, Personal Health Information Protection Act (PHIPA) Ontario and the Personal Information Protection of Electronic Documents Act (PIPEDA) requirements. A compliance program is your first line of defense to promote the prevention of criminal conduct, and enforce government rules and regulations, while providing quality care to patients. All three training products help protect practices against privacy and security breaches, improper payments, fraud and abuse, and other potential liability areas through education.

Canadian Health Care Privacy Training Solutions

Corridor’s online training makes it easy for health care organizations to comply with provincial and federal legislation that mandates regular privacy training for all health care providers, staff, and vendors.

Select the training that best fits your needs:

NEW! Privacy Awareness in Healthcare Training: Dental Practices – Alberta

Dentists and dental practices in Alberta are required to have an ongoing privacy program to ensure the protection of private records and patient information. The appropriate collection, use, and disclosure of personal information is critical to maintaining privacy for patients that choose to trust in your practice. Accomplishing this important goal demands an up-to-date training strategy.

Privacy Awareness in Health Care Training – Canada

Includes detailed resources for each province and territory with key terminology and links to applicable privacy legislation. Resources are provided for our ten provinces: Alberta, British Columbia, Manitoba, New Brunswick, Newfoundland & Labrador, Nova Scotia, Ontario, Prince Edward Island, Quebec, Saskatchewan, and three territories: Northwest Territories, Nunavut and Yukon. This new product is ideal for both organizations and vendors who provide health care services or have health care clients in more than one province.

Privacy Awareness in Health Care Training – Alberta

Includes the mandatory privacy breach notification amendments to the Health Information Act (HIA).

Privacy Awareness in Health Care Training – Ontario

Specifically covers all legislation and rules specific to the province of Ontario including the Personal Health Information Protection Act (PHIPA).

Refresher: Privacy Awareness in Health Care – Alberta

A quiz-based review of Corridor’s full Privacy Awareness course. The Refresher starts with an initial quiz to assess knowledge on the topics and information covered in the full course. Based on the quiz results, one or more of eight Refresher topic quizzes must be completed, each focusing on a specific subject area. The Refresher also includes access to the original course content.

Privacy Awareness in Healthcare: Essentials

Grab your on-line course from Information Managers and Corridor Interactive

for just $30 per individual 3 month subscription now!

Click Here to Grab Your On-Line Privacy Awareness Course Now!

Build a Strong Privacy Management Program for Your Clinic with These 5 Critical Modules

Build a Strong Privacy Management Program for Your Clinic With These 5 Critical Modules

Many privacy officers in small healthcare practices have other roles—as a clinic manager, healthcare provider, computer network technician, or business owner. It is little wonder that new privacy officers can feel overwhelmed when trying to balance these responsibilities every day.

But that’s not the end of the problem. It actually gets worse!

You could continue to –

Panic when a patient asks for their information for access or correction.

Scramble when new employees and healthcare providers join your clinic . . .and suddenly realize that you never got around to providing privacy and cybersecurity awareness training.

Hope that your practice will not be tapped on the shoulder for a practice review by your college or the OIPC.

Ignore privacy breach and hope no one else notices.

Avoid difficult decisions with your owners / staff who insist on doing things their way – even when it is not privacy compliant.

Never get ‘review privacy impact assessment’ and ‘review privacy policies and procedures’ off of your to-do list.

Avoid discussing privacy and security with your EMR and computer networks managed service providers because you are unsure of what questions to ask and what types of answers you should receive.

If you don’t have a written privacy management program and action plan, you are missing the systems to monitor routine tasks that will protect privacy and alert you to potential problems before they become privacy and security incidents.

Carrying out the duties of a Privacy Officer correctly is vital to ensure your organization is safe from the consequences of a big privacy breach.

But did you know that those organizations who have a privacy officer and a privacy management program are:

Less likely to have a privacy or security incident
Increased staff satisfaction
Increased patient satisfaction and outcomes

We Know That Privacy Is Good For Business

We know that having policies, procedures, and systems in place will improve your privacy compliance in your organization and help you make good business decision.

When we have consistent practices in place, it improves communication and prevents a multitude of problems.

I’d like to share with you what I believe are the 5 critical modules of a privacy management program

The 5 Modules of a Strong Privacy Management Program for Your Clinic includes

Know Your Obligations
Train
Privacy Breach Management
Document
Access and Disclosure

We expect organizations which collect, use, or disclose health information to have key components of a privacy accountability program. These include:

Every healthcare and private organization that is subject to privacy laws must comply with them. A comprehensive privacy management program provides an effective way for organizations to create a culture of privacy in their practice, practice accountability for the collection, use, disclosure, and access of personal information, and show compliance with regulations.

Module 1—Know your Obligations

Key accountability for your privacy management program starts with your healthcare provider(s). These are also known as “custodians”. They are ultimately responsible for the privacy, confidentiality and security of personal health information (PHI).

The key healthcare provider—physician, dentist, chiropractor, nurse—can assign or delegate a key person who is accountable to the custodian to implement and monitor a privacy management program. This is often known as a privacy officer. In many smaller healthcare practices, the clinic manager or practice manager is also the privacy officer.

The business owner (who might also be the healthcare provider) also has obligations to follow the privacy laws as it relates to the privacy of personal information of employee, customers, and general business information.

The healthcare provider, business owner, and privacy officer form a ‘trifecta’ of authority and responsibility in your practice to ensure that you comply with privacy legislation, professional standards of practice, and contractual commitments.

Knowing your obligations includes clear authority and accountability in your practice, inventory of identifying information that you have in your practice, and understanding how privacy legislation guides your business. Your privacy officer and custodians may require training in these areas to better understand their obligations.

Module 2—Training for Privacy Awareness

Training is an important component of your privacy management program. The privacy officer in your organization ensures that privacy awareness, cybersecurity, and privacy breach management are provided in your healthcare practice.

There should be both a formal and an informal training plan. A pre-planned privacy awareness training must be available for everyone in your organization, including new and seasoned professionals. It is critical that you can provide and document that everyone in your organization completed consistent common training.

We can provide informal training throughout the year. For example, have a standing agenda item during your staff meeting to do something consistently for everyone in the organization throughout the year. Leverage activities like Data Privacy Day, Change Your Password Month, Cybersecurity Awareness Week to provide a variety of content.

A frequently missed trigger for additional training happens when an employee is promoted to a new position. This is a great opportunity for the privacy officer to meet with the employee and discuss their new role and how their responsibility, for example, of authorizing new users or supervising employees contributes to the confidentiality and security of PHI.

Remember to document who attended the training opportunities and keep copies of the training content to show your actions to protect privacy.

Listen to the podcast How To Keep Privacy Awareness Top Of Mind | Episode #093 for more tips and resources to help you plan training throughout the year.

Module 3 – Effective Privacy Breach Management

Ensure that a written privacy breach management procedure is part of your overall privacy management program. The privacy officer will document your privacy breach management policies and procedures, sanctions policies and procedures, and train all employees to identify a privacy breach and report it to their supervisor. The privacy officer will manage a (suspected) privacy breach and ensure notification to their custodians, individuals affected by the breach, and others as needed.

The privacy officer will manage mandatory privacy breach notification requirements under the health privacy legislation like the Alberta Health Information Act (HIA), Ontario Personal Health and Information Protection Act (PHIPA) and the Personal Information Protection of Electronic Documents Act (PIPEDA) and other province’s legislation.

See Understanding a Privacy Breach for more tips.

Module 4—Documentation: The Backbone of Privacy Compliance

I think most people in healthcare are familiar with the adage, “If it is not documented, it didn’t happen.” This applies to your privacy management program, too. Your program should include written:

Health Information Privacy and Security Policies, Procedures
Risk Assessment – Safeguards
Practical Privacy Review
Privacy Impact Assessment
Information Management Agreement
Information Sharing Agreement
Successor Custodian
Training plan

These actions will help you protect the PHI of your patients and your business. They help to demonstrate your compliance with your privacy and security obligations. Review and update these key documents annually.

See Privacy Impact Assessment for more tips.

Module 5 – Access and Disclosure: Ensuring Patient Rights

When you collect PHI from patients and PI from employees and customers, you must ensure that they can access, correct, and authorize disclosure of their information.

Release of information (ROI) policies and procedures is a critical module of your privacy management program. Your privacy officer is tasked with ensuring that your ROI plan is written, understood, includes specific training to your employees, and follows legislated standards and professional college standards of practice. When you meet your ROI obligations, you avoid complaints and breaches, work efficiently, and improve the trust of your patients.

Struggling to Learn Your Role As A Privacy Officer On Your Own?

If you are a privacy officer in a healthcare practice who needs practical privacy management strategies to protect your patients and your healthcare business but aren’t sure how to get started, register for the Practical Privacy Officer Strategies training here.

The training starts on Feb 27, 2025.

Not sure if this is for you?

Send me an email and ask me! I’m happy to mentor you and help you assess your practice management and privacy compliance priorities.

3rd Largest Fine Ever Under the HIA

Ever wonder how privacy breaches happen—and what you can do to stop them? Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s dive into today’s case and explore what went wrong, what worked, and how you can apply these insights to protect patient information.

What Happened

An employee who had access to personal health information (PHI) had unauthorized use and altered the PHI. The employer discovered the unauthorized access and conducted an internal investigation. Subsequently, the employer reported the privacy breach to the Office of the Information and Privacy Commissioner as required under the Alberta Health Information Act (HIA).

The Alberta OIPC charged an individual with falsifying COVID-19 immunization records of nearly 200 people from September to November 2021 while they were employed in an administrative support staff role at Alberta Health Services (AHS). The false information was entered into the health information system which feeds into the Alberta Health Immunization record system.

Commissioner’s Investigation

The OIPC opened an offence investigation in June 2023. in March 2024, the OIPC recommended charges under the HIA.

In December 2024, Justice Mah of the Alberta Court of Justice sentenced Hind Mahmoud Dabash to a fine of $12,000 for the offence of knowingly using and creating health information in contravention of the HIA.

The other charge, of knowingly gaining access to the health information of 199 members of the public, was withdrawn.

Take-Aways

The custodian, AHS, was able to monitor and investigate the users’ actions in the electronic medical record systems. This capability is a requirement of health information systems and is a deterrent to individuals to access and alter PHI.

This case is unusual because the employee altered or changed the results of the immunization records which could have resulted in inaccurate diagnosis and treatment decisions for the individual and their families and contacts.

Regular privacy awareness training and monitoring of user activity audit log and supervision are essential steps to prevent and detect the unauthorized use of health information.

Reference

Alberta OIPC News Release December 19, 2024. https://oipc.ab.ca/court-case-concludes-in-sentencing-for-offence-under-health-information-act/

You May Also Be Interested In

5 New Year’s Resolutions for Privacy Officers and Clinic Managers

Why Privacy Resolutions Matter for the New Year

The start of a new year is the perfect time for clinic managers and privacy officers to reflect, reset, and refocus their efforts on safeguarding patient information. Just as individuals set personal goals for growth, healthcare organizations benefit from creating resolutions to strengthen their privacy practices. With evolving regulations, new technologies, and the ever-present risk of breaches, a proactive approach ensures your clinic stays ahead of potential challenges. These five New Year’s Resolutions will help you prioritize compliance, reduce risks, and foster a culture of privacy and accountability in your practice.

1. Review Your Clinic Description and Privacy Impact Assessment (PIA)

Start by assessing your clinic’s current operations and comparing them to your original plans. Are they still aligned, or have new challenges or opportunities arisen? Consider the following:

Are there any new initiatives or technologies your clinic is planning to implement this year?
Are there upcoming changes in personnel, stakeholders, or organizational structure?
Have there been any recent or anticipated legislative updates that could impact your privacy practices?

Identify updates that need documentation and determine if you need to notify the Office of the Information and Privacy Commissioner (OIPC).

Regularly updating your PIA ensures your clinic stays compliant, prepared, and aligned with its goals.

If you haven’t completed a PIA, make it a top priority this year! A PIA ensures compliance and protects your patients and organization.

Tip: Check out the December 2024 Q&A With Jean for the ‘Annual Review Checklist’ template to help you right away!

2. Monitor Privacy Breaches and Annual Trends

Take a close look at the privacy breaches and near misses from the past year. What patterns or trends stand out? Are there recurring issues, such as faxes being sent to the wrong number or patient forms being given to the wrong person?

It’s time to evaluate your current approach. If reminders to “be more careful” haven’t reduced these incidents, it’s a sign that a new strategy is needed. Process changes, additional staff training, or implementing new tools might be necessary to achieve better results.

Action Step: If you don’t already have a privacy breach reporting tool to provide a clear summary of all breaches at a glance, make it a priority to implement one now. Use this tool to document trends, analyze recurring issues, and develop actionable solutions to discuss during staff meetings.

3. Privacy Awareness Training for Everyone!

Recent decisions, such as Ontario IPC’s PHIPA Decision 260, highlight the importance of mandatory Privacy Awareness Training (PAW) training for all staff, including physicians.

Ensure your organization not only mandates this training but also enforces compliance. Accountability starts at the top.

Case Study: In Decision 260, a hospital faced repercussions when a physician accessed 1,400 patient records without proper authorization due to lack of enforced PAW training. How do you ensure that every employee and healthcare provider receive PAW training at your practice?

4. Plan for Succession

Every business owner needs a plan to ensure that there is a plan to continue or close their business if there is a sudden inability of the owner to do their job.

Custodians must designate a successor to ensure patients maintain access to their records in case of sudden changes. Naming a successor custodian who will advocate for and ensure the proper access and retention of patient records is a requirement of professional standards of practice and good business sense.

Clinic managers should know who the designated custodian is and ensure there’s a written agreement in place.

Thought Experiment: Succession planning is critical for privacy officers and clinic managers, too! Who will take over your role if you win the lottery tomorrow? Develop a training plan for your protégé. Check out the upcoming Practical Privacy Officer Strategies training.

5. Review Your Technology Stack

Recent outages like Microsoft 365 or platform closures (e.g., Bench) highlight the importance of contingency planning.

A technology stack inventory includes a listing of your data holdings and software and hardware vendors that you use in your business.

Include the vendor contact details and backup plans for service disruptions.

Ensure that you have written agreements for each service and appropriate access, security, and retention for PHI.

Conduct a risk assessment of the technology that you implement in your business to evaluate the impact of downtime on your clinic. The higher the risk, the more important it is to have a business continuity plan.

Bonus: Email me for a free Technology Stack template to get started!

Schedule these activities into your calendar to prompt you to dedicate time to complete your resolutions. They are not difficult and will contribute to privacy compliance in your practice.

Need some help with your privacy compliance? Join our Practice Management Success Membership for templates, guides, and expert support to make 2025 your best year yet!

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you. Jean L. Eaton Your Practical Privacy Coach INFORMATION MANAGERS

Is AI the Right Fit for Your Clinic? Key Considerations Before You Implement

AI tools, like transcription apps, are revolutionizing healthcare by speeding up processes and reducing tedious tasks. But before diving in, it’s critical to ask: Is this the right choice for your clinic? A game plan is essential to assess risks, outline goals, and document decisions. Here’s what you need to know.

Essential Steps to Evaluate AI for Your Clinic

When introducing AI into your clinic, following a structured process ensures thoughtful decision-making and minimizes potential risks. Clinic managers are telling me that their docs quickly download AI apps to their phone and start dictating clinic notes. Then they want a way to upload these into their electronic medical records (EMR).

As the clinic manager or privacy officer, you need to pause and consider the privacy and security implications. Here are 6 steps to help you evaluate AI for your clinic.

	1. Define Your Goals: What do you want the AI tool to achieve? Faster clinic notes? Accurate referral letters?
	2. Vet the Vendor: Assess their track record, security measures, and support.
	3. Understand the Workflow: Choose between local storage or cloud hosting. Start with a small-scale pilot.
	4. Conduct a Risk Assessment: Examine privacy, security, and compliance risks.
	5. Update Policies and Procedures: Ensure staff are trained and patients informed.
	6. Monitor to Ensure Accuracy, Efficiency, and Compliance: Regularly review your users and the AI tool performance and adjust workflows as needed.

The Role of AI in Clinics

Artificial intelligence mimics human actions to process information and assist decision-making. However, it’s crucial to remember that AI tools complement human judgment—they don’t replace it. For example, when assessing AI for transcription, keep in mind:

Hardware, Software, and Data: AI apps rely on all three. Ensure you understand where data will be stored and processed.
Integration: Will the tool integrate seamlessly with your EMR, or will you need to adapt workflows?

Transcription Workflow Scenarios to Consider

Trending AI projects in healthcare include using AI to assist with the generating clinic notes. Two common workflows for AI transcription tools are:

Local Processing: Dictations are transcribed directly on your device. Data doesn’t leave your clinic, but users must delete files after processing to avoid breaches.
Cloud-Based Systems: The tool listens during patient consultations, processes data in the cloud, and generates a text document which is uploaded to your EMR.

Anticipate how you will integrate the tool into your practice. Consider the following questions.

Accuracy: Who will review the transcribed reports to ensure they accurately capture the clinical conversation? AI tools can struggle with accents, unclear speech, or poor microphone usage.
Quality Assurance: Evaluate whether the AI effectively handles nuances in language, such as patients who are not strong English speakers. Ensure the clinical summaries are complete.
Efficiency vs. Quality: While AI can save time, the generated reports must meet quality standards. It may be that an AI-prompted clinical note is more complete than one that is written manually by the healthcare provider. Balance efficiency with the need for high-quality documentation.
Ethical Considerations: Ensure the AI’s interpretation of clinical conversations remains neutral and unbiased.

Starting small can help. For example, use the tool for specific patient visits or with one or two providers before scaling up.

Vetting the Vendor

Selecting a vendor for your AI tool requires thoughtful consideration to ensure you choose a provider with the experience and reputation you trust. The right vendor will help you implement the tool securely and effectively.

Ask these key questions:

How does the vendor safeguard health data?
Where will data be stored (locally, in Canada, or internationally)?
Have they conducted independent security audits?
How do they handle biases in AI-generated data?

A trusted vendor should answer these questions transparently. For help, check out the Canada Health Infoway’s checklist [link] for evaluating AI tools.

Privacy and Compliance

A privacy impact assessment (PIA) is a process to assess the impact of new or change to existing administrative practice, information system or practices relating to the collection, use, disclosure of personal (health) information.

The PIA documents the reasonable safeguards that you will take to protect the privacy, confidentiality, and security of health information.

Changes in technology, like implementing AI tools, trigger the need for a PIA. In particular, a PIA for transcription AI tools will include these questions.

How Will you Notify Patients? Inform patients how their data will be collected, processed, and used. Clearly communicate this through notices, laminated summaries, or consent forms.
Information Management Agreements (IMA). Ensure the vendor IMA include robust privacy clauses and clear restrictions on data use and secondary purposes.
Where is the Source Data Maintained? In a transcription app, know where the audio files are stored and how long they are kept. Automate deleting temporary files once their purpose is served, and ensure compliance with data retention policies.
How Will You Secure the Integrity of the Current Patient Record and Reduce Risk? Whenever you add new systems, you also increase the risk of compromise. Call on your computer network vendor and EMR vendor to help you assess the new AI Tool and how it might impact your current systems.

Next Steps: Plan, Document, and Ask for Help

Implementing AI takes time, effort, and clear documentation. Outline your workflow based on the steps outlined in this article: define your goals, vet the vendor, understand the workflow, conduct a risk assessment, update your policies, and monitor for accuracy, efficiency, and compliance. Then, ensure policies are updated, and staff are trained on the new processes. For guidance, visit Practice Management Success Membership or explore resources from the Office of the Information and Privacy Commissioner (for example, AI: Guidance for Small Custodians on the use of Artificial Intelligence) and the Canada Health Infoway (for example, Preparing the Health Care Community for AI Implementations

Have questions about a PIA for your AI implementation? Reach out to me—I’m here to help you with your privacy compliance.

AI tools offer exciting possibilities, but success lies in thoughtful implementation. Take the first step by assessing your clinic’s needs and evaluating risks. With the right approach, you can harness the power of AI while safeguarding patient trust.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you. Jean L. Eaton Your Practical Privacy Coach at Information Managers.

Changes to Alberta’s Privacy Impact Assessment (PIA) Review Process

PIA Review Process for Healthcare Practices In Effect Now

If you’re a clinic manager or privacy officer in Alberta, this is an important update for you. The Office of the Information and Privacy Commissioner (OIPC) has announced changes to the Privacy Impact Assessment (PIA) review process that will impact custodians under the Health Information Act (HIA), public bodies under the Freedom of Information and Protection of Privacy Act (FOIP Act), and private sector organizations under the Personal Information Protection Act (PIPA).

In Alberta, when a healthcare practice completes a PIA, it gets signed off internally by the custodian—whether that’s a physician, dentist, chiropractor, or another health professional. From there, the PIA is submitted to the OIPC for review. This review process has been a crucial step in ensuring that health information privacy is adequately protected. The OIPC issues a file number once the submission is received.

Starting October 1, 2024, the OIPC is streamlining its review process.

The OIPC will receive the PIA.
The PIA will be reviewed as it is submitted.
PIAs will no longer be ‘accepted’, ‘conditionally accepted’, or ‘not accepted’.
Instead, the PIA will be reviewed and a closing letter with comments and recommendations will be issued to the custodian.

One important detail: if the OIPC finds that your PIA is incomplete, they will close the file and notify you to consider re-submitting once the gaps are addressed.

It’s worth noting that the PIA requirements laid out in the OIPC Privacy Impact Assessment Requirements Guide (2010) are still valid. While changes are on the horizon, the OIPC has confirmed that the current guidelines remain applicable for the time being.

What This Means for You

If you’re a custodian under the HIA, you’re required to submit PIAs to the OIPC for review before implementing new administrative practices or information systems (HIA s.64). The key steps in the PIA process include:

1. Prepare health information privacy and security policies and procedures that comply with the HIA.
2. Conduct a privacy and security risk assessment and documenting any mitigation strategies
3. Complete the PIA using the OIPC’s format, which must be signed off by the healthcare custodian and the organization.
4. Submit the PIA to the OIPC for review. The custodian is encouraged to ensure the PIA is complete and thorough before submission.
5. Receive a closing letter from the OIPC with any comments or recommendations.

Also, PIAs submitted before October 1, 2024, but not yet reviewed by the OIPC, will still fall under the new process.

PIA Privacy Impact Assessment Pink Elephant Log

Need Help with Your PIA?

If you’re planning to introduce new technology, implement new systems, open a new clinic, or make amendments to your existing PIA—whether you’re moving from local servers to the cloud, relocating clinics, or adding new services—these changes could affect you.

Navigating the PIA process can feel like tackling the elephant in the room. But you don’t have to do it alone. If you need help with your PIA or guidance on amendments, visit InformationManagers.ca/PIA for support. We’re here to help you every step of the way.

Table-Top Privacy Breach Fire Drill

What is a Table-Top Privacy Breach Fire Drill?

A table-top privacy breach fire drill is a cost-effective way to prepare for a privacy and security incident in your healthcare organization. You should have a written privacy breach incident response plan in your healthcare practice. Have you practiced your response plan lately?

A table-top privacy breach fire drill allows your incident response team to rehearse their skills in a controlled exercise.

Do you remember your school days when every month or two you had a fire drill? The fire alarm would go off and everybody would go out the doors and very calmly go down the stairs and out the doors and into their muster point.

We take the same approach with privacy breach fire drills. Fires can happen at different times, places, and for different reasons. Whey you change the scenario, you develop alternate strategies or playbooks to best respond to the fire.

A privacy breach incident playbook contains all the actionable steps to take when a privacy beach incident occurs. Your playbook will have many ‘plays’ or actions to take when different types of privacy breach incidents occur. You could also think of it as a recipe book. You have many types of recipes to select from. Identify the ingredients that you have on hand (or the characteristics of the latest privacy incident) and select the most appropriate recipe to resolve the incident.

The Importance of Practicing Your Privacy Breach Response Plan

Healthcare providers, owners, and privacy officers hear about big privacy breaches on the news and hope it won’t happen to them. It keeps them up at night…because they know that properly preventing or managing a privacy breach is critical to the continued success of their business. Implementing a table-top privacy breach fire drill will help!

Picture this. You call a meeting of your incident response team. This may include your privacy officer, computer network support or managed services provider lead, physician, dentist, or other healthcare lead, your media spokesperson, and clinic manager. The privacy officer distributes a privacy breach incident scenario summarized on one page.

The team members read the scenario and then discuss what steps that they would take to respond to the privacy breach incident.

Using the 4 Step Response Plan as your playbook guideline, the incident response team note-keeper documents the hypothetical steps that the team takes to respond to the breach. Record the decisions, the resources, and the questions that you explore in this scenario.

When the table-top exercise is complete, you now have a detailed action steps that you can take when a similar privacy incident occurs in your healthcare practice.

How To Use The Table-Top Privacy Breach Fire Drill Technique

The goal of a privacy breach fire drill is to develop your playbook so you can spring into action when a similar privacy and security incident occurs in your healthcare practice.

Real-World Scenarios: Turning Headlines into Practice Drills

First, identify a scenario that could happen in your practice. Unfortunately, it’s easy to find an example about a privacy and security breach in the news. Grab a privacy breach example and pull out the bits and pieces of the information that might apply to your organization. When you select scenarios that could happen in your organization the exercise is more meaningful for you, and you will develop tools and templates that are going to help you in the event that a very similar privacy and security incident happens in your organization.

Let’s use the recent privacy breach incident that came from the province of Saskatchewan* when a cybersecurity attack that happened in their E-Health system. This attack may have started when an employee who had authorized access to the e-health system used a personal tablet to connect with a USB to the Saskatchewan health authority’s computer. This enabled a virus from that personal tablet to infect the computer system and ultimately the e-health system, allowing millions of files to be stolen. Strip the example down to its key points. Create additional details and assumptions where needed to give the team members enough information to discuss the scenario during the fire drill exercise.

Step 1 Contain The Breach Immediately

The first step in every incident is to spot and stop the breach. Make an assumption that the employee who connected the personal device to your computer is now seeing that message on the screen that says that there’s a virus in the system. One of your incident team members plays the role of the employee and completes Step 1 of the privacy breach incident response form and notifies their supervisor or the privacy officer.

Another team member assumes the role of the privacy officer and explains what their next action steps would be.

Record each action that you consider. Document each policy, resource, phone number and email address that you would use in a real event. This creates the action steps in your playbook.

Step 2 Evaluate the Risks Thoroughly

Discuss the risks that could affect the computer systems. What tools do you need to evaluate the harm of this incident? How might this affect patient care and the privacy of patient information?

Contact your vendors and ask them to contribute to the risk assessment in this scenario.

Who else might you want to call on for assistance to investigate this incident?

You might want to revisit the news item for additional information about the actions that were taken that you might also need to explore.

In your playbook, record good leading questions to help you to investigate the incident and evaluate the risks of harm.

Step 3 Notify the Right People and Authorities

Strategize who you would notify about the incident. Prepare written notification to the custodians, patients, regulators and even media statements. These become templates in your playbook that you can quickly implement in your real event.

Role-play your media spokesperson being interviewed on the evening news. It’s much better to practice now, before you are in a crisis.

Step 4 Prevent the Breach From Happening Again

This might be the most valuable step in the privacy breach fire drill. Complete the privacy breach incident worksheet and summarize this practice scenario. Consider how likely this scenario could happen in your practice. What type of training could be done now to prevent this from happening? What tools or training do your incident response team members need today to make it easier for them to monitor and prevent this scenario from happening?

The Benefits of Regular Privacy Breach Fire Drills

At the conclusion of this fire-drill, your team is ready, energized, and have the tools that they need to make sure that they can respond to that privacy and security breach as quickly as possible. This absolutely is a great investment in your time. These table-top privacy breach fire drills are a great demonstration of your commitment as an organization to ensure that you are protecting the privacy confidentiality and security of health information.

« Older Entries

Search

What is the elephant in the room?

Find out here....

"I had the pleasure of working alongside Jean to develop a PIA for my Dental Office. I could not have completed this document without her. She was there to help me every step of the way. Her online course made it easy to communicate with her as well as having so many resources to use that were so helpful. Each Module had videos to watch that explained step by step what needed to be done. The PIA document is a lot of information to put together and if it's not enough information on its own, you also need to develop a policy and procedures manual. Jean has developed an amazing resource for this manual that was very user friendly and made a 300 page manual a lot more attainable than creating it on your own. I highly recommend taking Jean's PIA course and having her help throughout the process!"

- Lindsey Cave, Office Manager, Orion Dental Group