Table-Top Privacy Breach Fire Drill

Table-Top Privacy Breach Fire Drill

What is a Table-Top Privacy Breach Fire Drill?

A table-top privacy breach fire drill is a cost-effective way to prepare for a privacy and security incident in your healthcare organization. You should have a written privacy breach incident response plan in your healthcare practice. Have you practiced your response plan lately?

A table-top privacy breach fire drill allows your incident response team to rehearse their skills in a controlled exercise.

Do you remember your school days when every month or two you had a fire drill? The fire alarm would go off and everybody would go out the doors and very calmly go down the stairs and out the doors and into their muster point.

We take the same approach with privacy breach fire drills. Fires can happen at different times, places, and for different reasons. Whey you change the scenario, you develop alternate strategies or playbooks to best respond to the fire.

A privacy breach incident playbook contains all the actionable steps to take when a privacy beach incident occurs. Your playbook will have many ‘plays’ or actions to take when different types of privacy breach incidents occur. You could also think of it as a recipe book. You have many types of recipes to select from. Identify the ingredients that you have on hand (or the characteristics of the latest privacy incident) and select the most appropriate recipe to resolve the incident.

The Importance of Practicing Your Privacy Breach Response Plan

Healthcare providers, owners, and privacy officers hear about big privacy breaches on the news and hope it won’t happen to them. It keeps them up at night…because they know that properly preventing or managing a privacy breach is critical to the continued success of their business. Implementing a table-top privacy breach fire drill will help!

Picture this. You call a meeting of your incident response team. This may include your privacy officer, computer network support or managed services provider lead, physician, dentist, or other healthcare lead, your media spokesperson, and clinic manager. The privacy officer distributes a privacy breach incident scenario summarized on one page.

The team members read the scenario and then discuss what steps that they would take to respond to the privacy breach incident.

Using the 4 Step Response Plan as your playbook guideline, the incident response team note-keeper documents the hypothetical steps that the team takes to respond to the breach. Record the decisions, the resources, and the questions that you explore in this scenario.

When the table-top exercise is complete, you now have a detailed action steps that you can take when a similar privacy incident occurs in your healthcare practice.

How To Use The Table-Top Privacy Breach Fire Drill Technique

The goal of a privacy breach fire drill is to develop your playbook so you can spring into action when a similar privacy and security incident occurs in your healthcare practice.

Real-World Scenarios: Turning Headlines into Practice Drills

First, identify a scenario that could happen in your practice. Unfortunately, it’s easy to find an example about a privacy and security breach in the news. Grab a privacy breach example and pull out the bits and pieces of the information that might apply to your organization. When you select scenarios that could happen in your organization the exercise is more meaningful for you, and you will develop tools and templates that are going to help you in the event that a very similar privacy and security incident happens in your organization.

Let’s use the recent privacy breach incident that came from the province of Saskatchewan* when a cybersecurity attack that happened in their E-Health system. This attack may have started when an employee who had authorized access to the e-health system used a personal tablet to connect with a USB to the Saskatchewan health authority’s computer. This enabled a virus from that personal tablet to infect the computer system and ultimately the e-health system, allowing millions of files to be stolen. Strip the example down to its key points. Create additional details and assumptions where needed to give the team members enough information to discuss the scenario during the fire drill exercise.

Step 1 Contain The Breach Immediately

The first step in every incident is to spot and stop the breach. Make an assumption that the employee who connected the personal device to your computer is now seeing that message on the screen that says that there’s a virus in the system. One of your incident team members plays the role of the employee and completes Step 1 of the privacy breach incident response form and notifies their supervisor or the privacy officer.

Another team member assumes the role of the privacy officer and explains what their next action steps would be.

Record each action that you consider. Document each policy, resource, phone number and email address that you would use in a real event. This creates the action steps in your playbook.

Step 2 Evaluate the Risks Thoroughly

Discuss the risks that could affect the computer systems. What tools do you need to evaluate the harm of this incident? How might this affect patient care and the privacy of patient information?

Contact your vendors and ask them to contribute to the risk assessment in this scenario.

Who else might you want to call on for assistance to investigate this incident?

You might want to revisit the news item for additional information about the actions that were taken that you might also need to explore.

In your playbook, record good leading questions to help you to investigate the incident and evaluate the risks of harm.

Step 3 Notify the Right People and Authorities

Strategize who you would notify about the incident. Prepare written notification to the custodians, patients, regulators and even media statements. These become templates in your playbook that you can quickly implement in your real event.

Role-play your media spokesperson being interviewed on the evening news. It’s much better to practice now, before you are in a crisis.

Step 4 Prevent the Breach From Happening Again

This might be the most valuable step in the privacy breach fire drill. Complete the privacy breach incident worksheet and summarize this practice scenario. Consider how likely this scenario could happen in your practice. What type of training could be done now to prevent this from happening? What tools or training do your incident response team members need today to make it easier for them to monitor and prevent this scenario from happening?

The Benefits of Regular Privacy Breach Fire Drills

At the conclusion of this fire-drill, your team is ready, energized, and have the tools that they need to make sure that they can respond to that privacy and security breach as quickly as possible. This absolutely is a great investment in your time. These table-top privacy breach fire drills are a great demonstration of your commitment as an organization to ensure that you are protecting the privacy confidentiality and security of health information.

 

Strengthen Your Privacy Defense with Table-Top Drills

In-Person Workshop Coming to a Region Near You!

If you are a clinic manager, privacy officer, information technology support, or administrative lead responsible to prevent and to respond to a privacy breach of personally identifying health information, register now to participate in this practical workshop near you!

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

You are working at the reception desk of a healthcare practice. Suddenly, there is a police officer giving you a court order! Do you know how to prepare patient records for a court order?

panic button

Don’t Panic!

Take a deep breath. Then, follow these steps to help you to respond to a request for patient records for a court order with confidence!

Listen to the Design Your Practice Podcast with Kayla Das!

Episode 76: How to Prepare Client Records for a Court Order with Jean Eaton

 
designer practice podcast logo court order

Listen to the Podcast Here

You can also find the podcast on Apple Podcast, Spotify, and YouTube. Simply search for “Designer Practice Podcast” on your preferred platform.

 

Follow These Steps

In this article, I am not discussing a situation which relates to a life-threatening situation that requires an immediate response. I am also not discussing when the order relates to the type or quality of healthcare provided to the patient or when the actions of the healthcare provider or clinic is being challenged or reviewed. These are topics for a different article.

Your reception staff should not accept the court order but, instead, immediately ask the officer to wait for a few minutes so that they can request their supervisor or privacy officer meet with them.

When the court order is an administrative request for information, the supervisor or privacy officer will accept the court order from the officer. Before the officer leaves, make sure that you read the court order carefully and ensure:

  • Who is named in the court order.
    • This is often the clinic manager of the clinic. Your clinic should be specifically named or, perhaps, the name of your lead physician or healthcare provider.
  • Record the date and time that you received the order.
  • Clarify when the response is required.
  • Name and contact information.
    • This could be of the officer that delivered the court order (if possible).
    • At minimum, it should include the contact information of the court, for example, the court clerk’s office or the witness co-ordinator, or the sheriff’s office.
  • The province or jurisdiction of the court.
  • In general, this should be the same province where your clinic operates. If not, contact your lawyer for advice on how to respond.

Review Your Policies and Procedures

This is not a routine request from a patient to access their health records or a request to disclose their records to a third party like a lawyer or insurance company. In those routine requests, patients are generally required to provide a written, signed consent before you can disclose their records.

When you receive a court order or subpoena to produce patient records at a court or other legal proceeding, you are not required to get a signed consent from the patient.

Each healthcare practice should have detailed policies and procedures on how to prepare patient records for a court order. Review these now.

If you don’t have up-to-date policies and procedures, see the Practice Management Success Tip, How to Prepare Patient Records for a Court Order.

Validate the Court Order

Read the court order carefully. In particular,

  • Phone the contact number on the court order.
  • Confirm the date, time, and location that you are required to appear.

Locate the Patient Record

Find the patient information maintained in an electronic database, electronic medical record (EMR) and/or paper records. Remember to look for both active and inactive patient records as needed by the court order.

Read the patient record carefully, line by line, to ensure that the record is complete. For example, make sure that all lab reports, prescriptions, consultation notes, etc. are included in the record.

Secure the record to prevent snooping or modification to the record. Also ensure that the record is available for continuing care and treatment of the patient, if needed.

In an electronic record, prepare an audit log of all the transactions on that patients’ chart.

Ensure there is no duplicate or second chart for the patient that may have been created in error. Search by alternate names, spellings, date of birth, etc.

Ensure that each custodian included in the patients’ care and your healthcare practice’s privacy officer is informed of the court order to produce the record. The custodian should be provided an opportunity to review their clinic notes. Remind the custodian that they cannot further disclose the patient’s record.

Prepare the Patient Record

Review the court order and identify exactly what information is requested. It might be for specific dates or a condition or treatment.

Keep complete and detailed notes about how you prepared your response to the court order. You will bring your notes with you to court to assist you in your testimony about how your clinic creates and maintains patient records and what you did to respond to the court order. After your court appearance, you will maintain your notes as part of the business records for the clinic.

Collect the information and record each of your steps and your results, including the records that you searched for as well as those that you did not find any results for.

If you maintain your patient records in an electronic medical record (EMR) or digital practice management software, print out a hard copy of all the information that responds to the information that is requested.

Sever (also known as redact or black-line) any information that is not appropriate to include in the disclosure. Cross-reference each redacted entry to the legal authority not to include the information in the disclosure.

illustration of text that has black lines through sections sever or redact part of How to Prepare Patient Records for a Court Order
If you are using an EMR, organize the paper print-out in a format that makes sense. This might be in chronological date order, or by grouping like records (clinic notes, lab results, etc.) together.

Create a ‘Table of Contents’ of the information in the patient record. This will help you in your testimony to quickly find requested information, and to help the court to locate information in the records that you have prepared.

At the same time, handwrite in ink at the bottom of each page the sequential page number in the package. Update the table of contents with the page numbers.

Stamp ‘COPY’ on each page.

When the package is complete, make a photocopy (or two) of the entire package. The ‘original’ paper copy will be maintained at the clinic. Bring the original and the copy to court and ask the court to accept your copy. Return the original package to the clinic and securely maintain this as part of the business records of the clinic until the court file is complete.

When You Attend At Court

As the clinic manager, your role at the court is to tell the court how patient information is collected and maintained in your healthcare practice. Your job is not to interpret the content of the clinic notes.

A few days prior to the court date indicated on the court order, phone the clerk’s office or witness support office to confirm the date, time, and location of the proceedings and if you are still required to attend.

image of 3d figure in a witness box in court raising hand to affirm testimony How to Prepare Patient Records for a Court Order
On the day of the proceedings, report to the clerk of the court.

Bring with you the court order, your photo ID, the patient record, and your notes. Bring a good book to read in case you have a long wait.

You will be advised (again) if you are required that day. If you are not required, the clerk will make a notation on your court order to appear that you attended and that you have been dismissed. Keep this in your business records with the patient record.

If your testimony and the patient records are required, you will be called as a witness during the court proceeding.

You will be asked to swear or affirm an oath to speak honestly during your testimony.

Typical questions that you should be prepared to answer include:

  • Your name.
  • Your role at the clinic, how long you have been in that role, your routine tasks and responsibilities at the clinic.
  • Describe how patient records are maintained. Be prepared to explain your EMR or computer patient management system (if you have one).
  • Bring your notes about the steps that took to prepare for the court order. You may ask permission of the court to refer to your notes that you created when preparing to respond to the court order during your testimony, if necessary.
  • Explain that the patient records are kept electronically and that you have prepared a paper print-out of those notes.
  • Be prepared to explain how you know that the records are complete, not missing any details, etc.
  • If the court asks you to enter the records into evidence, explain that you have an ‘original’ and a ‘copy’ and ask the court to accept the ‘copy’ into evidence.

When You Return to the Clinic

Complete your notes by documenting your day at the court. Write a short summary of your day including:

  • Did you give a copy of the patient records to the court? To whom?
  • Remember to add this notation to the patients’ record that you disclosed this information according to the court order.
  • Any follow-up required for this disclosure?
  • Review your procedures. Anything that you would edit or provide additional instructions that will help you to be better prepared for next time you receive a court order?
  • Submit a copy of your out of pocket expenses (parking receipts, meals, etc.) for re-imbursement by your employer, if applicable.

What You Should Do Now

  1. Review your policies and procedures now to ensure that it includes how to respond to a court order.
  2. Train your reception staff on what to do if they receive a court order.
  3. Train your privacy officer and clinic manager on how to prepare a patient record for a court order.

Depending on where you work, you may receive a court order regularly or it might be a once-in-a-career experience. When you have policies and procedures and a little bit of training to assist you, you can respond to a court order calmly and confidently.

If you are a member of Practice Management Success, login and access the ’Procedure:  Preparing Patient Records for a Court Order’ template and the replay of the tutorial video.
 
image Jean L. Eaton

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

In order to provide services, healthcare practices must collect pertinent information from patients. This data gathering often includes many sources of information, across different types of technology, among multiple vendors. Good business practices and health records management is supported by three agreements your healthcare must have: information manager agreement (IMA), information sharing agreement (ISA), and successor custodian agreement.

For instance, when a patient attends a clinic, their details are nearly always entered into a computer software program to maintain demographic information, manage patient appointments, and to process payments. Often, health service providers (including physicians, pharmacists, chiropractors, dentists, psychiatrists and more) record their patients’ notes into an electronic medical record (EMR).

Patient information is shared between providers where required. For example, when the patient visits a diagnostic lab for testing, results are often transmitted electronically to the ordering physician’s fax machine or to the EMR.

Custodians including physicians, pharmacists, chiropractors, dentists, and psychiatrists, as defined by the Alberta’s Health Information Act (HIA), must follow HIA legislation when they collect, use, and disclose health information.

Often, custodians are also the owners of independent healthcare practices. However, an owner of a healthcare practice is not the custodian if they are not also an active member of a regulated health profession named as custodians in the HIA.

1. Information Manager Agreement

The HIA allows custodians to contract with other health service providers and vendors for the purposes of providing information management or information technology services, so patients can receive health services, and make payments. This often requires the custodian to share patient information with a vendor (or give them access to) so the vendor can process, store, or provide information as needed.

The custodian selects one or more business to provide the services, equipment, or software to assist in the management of health information. For example: EMR provider, contracted transcriptionist, billing agent, remote backup service, etc. These businesses are known in the HIA as information managers.

Before sharing health information with someone else, the custodian must ensure that the partners and vendors have reasonable safeguards in place to protect sensitive health information. The custodians must ensure that there is a written agreement between the custodian and the information manager. These agreements are known as “Information Manager Agreements.” This requirement is stated in the HIA section 66(2).

The Information Manager Agreement (IMA) is one of three crucial agreements a healthcare practice must have in place.

If You Don’t Have an IMA

If you are a custodian who uses vendors as part of your business and you do not have an IMA with that vendor…

  • You are in breach of the HIA.
  • You may incur fines under the HIA.
  • You may face sanctions and disciplinary actions from your professional regulatory college.
  • Almost certainly, you will encounter conflicts, poor communication, between yourself and the vendor(s) and the other participating custodians in your practice.
  • You may lose control of the health information as reported in the Investigation Report H2013-IR-01from the Alberta Office of the Information and Privacy Commissioner (OIPC).

In a press release from the Alberta OIPC in 2013, Information and Privacy Commissioner Jill Clayton noted that:

“The HIA allows custodians to disclose health information to IT service providers, such as EMR vendors, under an appropriate Information Manager Agreement. When custodians do not sign these agreements, they may find themselves in the unfortunate position of losing control over the health information they need to provide health services.”

Investigation Report H2013-IR-01 (https://www.oipc.ab.ca/news-and-events/news-releases/2013/investigation-report-h2013-ir-01.aspx)

Who Must Create the Information Manager Agreement?

The custodian is responsible to ensure that there is an appropriate IMA created and signed.

The information manager can assist the custodian by preparing templates of the IMA including specific details of the services that they will provide and the safeguards that the vendor will implement to protect personal health information.

Key Points About IMAs

A few important notes about IMAs.

  • IMA must be signed by the custodian.
  • Agreements signed by individuals who are not custodians are not valid under the HIA.
  • Custodians are required under the HIA to have an IMA with the vendor before disclosing health information. If there is no agreement in place, the custodian is in breach of the HIA.
  • Custodians are responsible for the health information that they collect, use, and disclose. Therefore, the custodian is responsible for the IMA and to ensure that the health information will be handled confidently and securely.

Key Points IMA

The custodian can select the best vendor and information manager for the job. The vendor who understands the requirements of the HIA and who can demonstrate that they have implemented the appropriate reasonable safeguards and can assist the custodian to develop an appropriate IMA is, in my opinion, demonstrating a significant competitive advantage.

All healthcare providers in a community practice should spend time when creating their business to establish good business practices, including developing written contracts and agreements to improve the efficiency of the business and to make things happen in the way that they are planned.

Here is a common example

Dr. Alice and Dr. Mark created a welcoming family medical practice in a new sub-division of their city. They each worked hard to attract new patients, hire and train staff, and develop a profitable business.

In the last few years, Alice and Mark had differences of opinion on how to grow their business. In the end, Alice decided that this type of practice wasn’t for her. She decided to leave and join a larger practice in a neighbouring subdivision. Alice wanted to take her patient’s records with her to her new practice and continue to see her patients at the new location.

Mark, who had signed the IMA with the EMR vendor, did not agree to Alice’s request to transfer her patient records to her new group practice.

Alice and Mark argued and eventually involved a professional mediator to help them resolve their business conflict. Hurt feelings between the providers and staff, costly delays in their business and expenses could have been avoided if Alice and Mark had established clear expectations in the event of the termination of their business partnership when they started their group practice. An IMA between custodians in a group practice is a recommended best practice.

When You Have Multiple Custodians in Your Healthcare Practice

When the practice has multiple providers, the owner and custodian frequently assumes responsibility for maintaining the contracts and IMAs with the vendors. Each of the participating healthcare providers may delegate the responsibility of maintaining the vendor arrangements to the custodian owner. This can be achieved with an IMA between the owner / custodian and each participating custodian.

Custodian Owner IMA

Each healthcare provider custodian is considered the custodian of the health information that they collect. The custodians can jointly agree to all use the same EMR. This provides continuity of care for the patients and economy of scale for the participants of the practice.

When the owner/custodian signs the agreement with the EMR, they become the signatory custodian. The EMR vendor takes their instructions from the signatory custodian.

The owner / custodian is now an information manager for all the participating custodians.  but does not become a custodian of the health information provided to them in their roles as an information manager.

For example,

Dr. Bill opened his medical practice, ABC Clinic. Later, additional physicians were recruited to work at ABC Clinic. The physicians are each custodians as defined by the HIA.

Dr. Bill assumes the responsibility for the operations of the clinic including the computer network and the contract with the EMR vendor. Dr. Bill is the information manager for the patient records at the clinic.

Each physician signs an IMA with Dr. Bill and agree that he will continue to manage the patient records on their behalf. Dr. Bill is operating as an information manager.

In his role of the information manager, Dr. Bill must follow the instructions from each physician, the custodian, as it relates to the management of their patients’ records.

2. Information Sharing Agreement (ISA)

When you have more than one physician in your practice, you need an agreement about how you will decide to manage the personal health information in your practice.

An Information Sharing Agreement (ISA) focuses on the internal decision making about all things related to personal health information whereas, an IMA is an agreement with a single vendor about the services that the vendor provides.

ISA IMA

An ISA may include things related to the services that a vendor provides but is not limited to just vendor services.

It also includes decisions about the process to ensure appropriate role based access to personal health information in the EMR, computer network, and paper formats; the regular review of health information privacy and security policies and procedures, ensuring privacy and security awareness training, the regular review of administrative, technical, and physical safeguards in the practice, and so on.

In larger organizations or when several smaller organizations participate in an information sharing initiative, a Data Management Committee may provide oversight and facilitate this process.

An ISA is a requirement of the College of Physicians and Surgeons of Alberta.

Identifying a successor custodian is also a requirement of the College of Physicians and Surgeons (CPSA).

3. Successor Custodianship Agreement

As a business owner, you need to plan a successor to the business. This might be an interim or short-term decision to ensure continuity during an absence or future retirement planning or unexpected illness or death.

In healthcare, physicians and custodians have the added responsibility as the ‘gatekeeper’ for patient records. In the event of a sudden inability to meet these responsibilities, physicians need to identify a successor custodian to ensure appropriate and continued access by patients to their health information for their continuing care and treatment and to ensure that the continuing confidentiality, security, and access to patient records continue to be fulfilled.

Have you identified a successor custodian? Each of the physicians in your group practice should also identify their own successor custodian.

This is a CPSA requirement and should also be included in the Privacy Impact Assessment if you have this information available. See CPSA, Patient Record Retention, s.5:

A regulated member acting as a custodian must designate a successor custodian to ensure the retention and accessibility of patient records in the event the regulated member is unable to continue as custodian. (Reference: Health Information Act Section 35(1)(q)

If you are a chiropractor, the Alberta College and Association of Chiropractors (ACAC) further requires its members to name a chiropractor as the successor custodian to maintain the status of ‘chiropractic’ records. (See the ACAC’s Standards of Practice s5.3 Custodianship of Health Records.)

A chiropractor, as a custodian of health records, is responsible for the care and control of the health records in their practices as required by the Health Information Act of Alberta. A custodian of active chiropractic files must be under the custody or control of an active, registered member of the ACAC.

Note that under the Health Information Act, a chiropractor may disclose files to another custodian who is not a chiropractor, and only a chiropractor may have custody or control of chiropractic files. Chiropractic files disclosed to a non-chiropractor should no longer be considered chiropractic files.

A custodian must implement technical and physical safeguards to protect the confidentiality of the information and privacy of individuals as well as protections against reasonably anticipated threats to the security or integrity of the information. A custodian must also defend against unauthorized uses, disclosures or modifications of the information. Safeguards must be periodically assessed and documented in policies and procedures.

If you are working in an owner/custodian scenario discussed above, clearly identifying a successor custodian becomes imperative. An unplanned absence of the owner / custodian can seriously jeopardize the business and the continuing care and treatment of patients.

The custodian can, but is not required to, name another custodian in the same practice to be their successor. Whatever your decision, ensure that this is well documented and easily accessible to the other custodians and key decision makers in your organization in the event of an emergency.

The best time to create IMA, ISA, and Successor Custodianship Agreements is when you start your healthcare business.

The second best time in now.

What are you waiting for?

If you need assistance, contact Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor with Information Managers. I’m here to help you with your Practice Management Success.

If you are a member of Practice Management Success, login here to access the Top 3 Agreements.

 

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

 
Do You Know Where Your Policies And Procedures Are?

Do You Know Where Your Policies And Procedures Are?

Do You Know Where Your Policies and Procedures Are?

This is a cautionary tale.

And it could save you a lot of embarrassment – even legal issues.

The way a healthcare provider collects, uses and discloses personal health information (PHI) is critical to an efficient healthcare practice.

It’s also required by legislation and professional college regulations and standards.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

 

Don’t let this happen to you!

Everyone in a healthcare practice — including front office staff, wellness practitioners and physicians and other custodians — must be aware of and follow these policies and procedures.

These policies and procedures also become the foundation of your privacy impact assessment (PIA).

That’s why, in this Privacy Breach Nugget, we’ll review a privacy breach investigation report from Alberta’s Office of the Information and Privacy Commissioner (OIPC). Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

This report started with an employee suspected of accessing health information for an unauthorized purpose.

It started with at the clinic with a conflict between the employees and the employer.

An employee (Employee A) was on leave from her position at the clinic. Her access to the electronic medical record (EMR) was suspended during her leave.

Employee A wanted to access patient information to support her dispute with management. Over two months, Employee A used Employee B’s credentials to access patient records.

This action is in contravention of the Health Information Act (HIA) sections 27 and 28.

This is where this case becomes even more convoluted and, in fact, a better case study of what not to do.

Employee Dispute

Understanding the Health Information Act

The Health Information Act (HIA) requires the custodian (the physician, in this case) to take reasonable steps to maintain administrative, technical, and physical safeguards to protect patient privacy as required by sections 60 and 63 of the HIA, and section 8 of the Health Information Regulation.

In November 2013, the clinic submitted a privacy impact assessment (PIA) to the OIPC prior to its implementation of an electronic medical record (EMR).

The PIA included written policies and procedures.

The letter to the OIPC accompanying the PIA was signed by two physicians, as well as Employee A who was the privacy officer at that time.

The physician named in the investigative report is not the current custodian at the clinic. The physician was hired in 2015 and therefore not a member of the clinic in 2013 and not involved in the initial PIA submission.

During the investigation, both employees indicated that the policies and procedures to protect patient privacy were in a binder in the clinic, but it was never used or shared with the staff.

Oaths of confidentiality may have been previously signed by the employees, but the documents could not be produced during the investigation.

Section 8 (6) of the Regulation states the ‘custodian must ensure its affiliates are aware of and adhere to all of the custodians administrative, technical, and physical safeguards in respect of health information.’

It’s common practice for clinics to require employees to sign confidentiality agreements and ensure that they receive patient privacy awareness training with regular updates.

But in this investigation, the employees said they never received privacy awareness training.

 

Access To Patient Information

The employees also stated it was common practice at this clinic for individuals to not log off of their EMR account on the computers at the reception desks. It was common practice for other employees to access an open session to quickly perform a task in the EMR.

The investigator concluded that the physician was in contravention of the HIA section 63(1) which requires custodians to establish or adopt policies and procedures that would facilitate the implementation of the Act and regulations.

These specific findings were made:

  • The custodian failed to ensure the clinic employees were made aware of and adhered to the safeguards put in place to protect health information in contradiction contravention of section 8(6) of the regulation.
  • The custodian was in contravention of section 8(6) of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to all of the custodian’s administrative, technical, and physical safeguards with respect to health information. It’s important to note any collection use or disclosure of health information by an affiliate of a custodian is considered to be the collection, use, and disclosure by the custodian.
  • The custodian failed to ensure the employee and the other clinic staff adhered to technical safeguards as required by section 60 of the HIA and section 8(6) of the regulations.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Get Your Privacy Documents In Order

To protect yourself and your practice from patient privacy breaches (and massive fines, see the conclusion to this article), follow these steps.

  1. Find your policies and procedures and review them with all staff and custodians. Make sure you document that this has been done.
  2. Review and update your privacy awareness training and ensure all staff, including custodians, have completed this recently. Make sure you have this documented, including certificates of attendance if available.
  3. Oath of confidentiality documents should be signed by all of all clinic staff and custodians and maintained in a secure location.
  4. Review your privacy impact assessment and ensure all of your current custodians have read this and understand it. Visit this post for more information to help you determine if you need a PIA amendment.

Monitor

This incident occurred in 2016. The OIPC office did not recommend any additional sanctions against the clinic, physicians, or employees.

To get templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership

New Amendments To The HIA

This case might have turned out differently today.

New amendments, as of 2018, provide a provision for fines under the HIA ranging from $2,000 to $200,000.

The public — and our patients — expect and trust us to make sure that their personal health information is kept secure and confidential.

It’s our responsibility to make sure we have these administrative, technical, and physical safeguards in place and are maintained in a consistent fashion.

When you’ve done the hard work to implement your patient privacy policies and procedures and your privacy impact assessment, make sure you continue your journey and keep these documents up-to-date and current. To help you, sign up for the Practice Management Success Membership.

There are many patient privacy breaches in the news each day, and you never know when it could happen to you.

The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain. If you need to prepare your privacy breach management plan, start your on-line training 4-Step Response Plan right away!

If you need templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership. These tips, tools, templates, and training will help you save time and money to develop and maintain policies and procedures in your healthcare practice.

 

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget’ to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

 

 

References and Resources

Alberta Office of the Information and Privacy Commissioner. Investigation Report H2019-IR-01 Investigation into alleged unauthorized accesses and disclosures of health information at Consort and District Medical Society Clinic. May 21, 2019. https://www.oipc.ab.ca/media/996888/H2019-IR-01.pdf

When Do You Need a PIA Amendment?

When Do You Need a PIA Amendment?

A Privacy Impact Assessment Is Good For Business

A privacy impact assessment (PIA) is part of a regular business process if you collect, use, or disclose personal health information in your healthcare practice. When you have a previous PIA that has been prepared, submitted to the Office of the Information and Privacy Commissioner (OIPC) and it has been accepted for use–well, that is not the end of your PIA journey.

You need to ensure that you are updating and amending your PIA as your practice matures and as you make administrative and technical changes to the procedures in your practice.

You need a PIA Amendment when you have a previously accepted PIA and any one of these common triggers below.

You Have a PIA That Was Written More Than 2 Years Ago

It is time to review and update this!

Under Section 8(3) of Alberta’s Health Information Regulation, custodians must periodically review the safeguards they have in place to protect health information privacy. This means that custodians need to regularly review the privacy risk mitigation plans set out in PIAs to ensure they continue to protect against reasonably foreseeable risks to the privacy of health information. The submission of your PIA to the Office of the Information and Privacy Commissioner (OIPC) is mandatory and must precede implementation of your new system or practice.

Change in Health Information Act (HIA) Legislation and Regulations

The HIA has undergone significant amendments in 2006, 2010, most recently in August 2018. Make sure that you have updated your privacy breach management program and include mandatory privacy breach notification to the (OIPC) and the Minister of Health (MOH). Again, ensure that your team training has been updated so that they know how to spot, stop, and report a privacy breach. (See Mandatory Privacy Breach Notification)

Changes In Your Electronic Medical Record or Computer Network

You have the same EMR database, but maybe the configuration has changed. For example, a change from a local to an application service provider (ASP) or cloud-based data centre or Software as a Service (SAS) model would trigger a PIA amendment.

Another trigger is a change in your computer network vendor or changes in wireless networking, remote access, or implementing mobile devices.

PIA amendment EMR computer network

Change in Participating Physicians / Privacy Officer

Since your original PIA, you may have new custodians, including physicians, registered nurses, chiropractors, and other health professionals named in the HIA that have joined or left your practice. Your Privacy Officer may have changed, too. Your amendment should include an up-to-date listing of custodians and privacy officers.

New Users / Information Sharing

There have been many recent information sharing initiatives in healthcare. You might now plan to participate in evaluation projects, patient panel management, or other community initiatives. Make sure that you have your PIA amendment and information manager agreements completed, too. (See – The Top 3 Agreements Your Healthcare Practice MUST Have (and Why).

A quick word of caution: if your new information sharing project includes data matching–the creation of new information by combining two or more sets of data—requires custodians to prepare a privacy impact assessment before performing data matching involving health information (HIA sections 70, 71). The custodian that carries out the data matching is responsible for preparing the Privacy Impact Assessment.

PIA amendment new users

Communicating With Patients

If you are adding new technology to keep in touch with patients for appointment reminders, on-line appointment booking, secure email or patient portals, these will trigger a PIA amendment or, perhaps, a project specific PIA. Make sure that your policies and procedures are up to date, too. (See – Can You Use Text Message With Your Patients? )

PIA Amendment Communicating with patients

Alberta Netcare Portal (ANP) / Community Integration Initiative (CII) / CPAR

ANP updated their PIA in 2016 and, therefore, you need to make sure that your corresponding policies and procedures and training have been updated, too. Remember – when you agreed to participate in ANP, you promised that you would review your threat risk analysis (TRA) and update your Provincial Organization Readiness Assessment (p-ORA) when changes occur and at least every two years.

Prior to applying for the Alberta  CII / CPAR Grant, your practice must have a privacy impact assessment that reflects the current clinic environment.

Maturing Practice

You have learned and grown since your original Privacy Impact Assessment submission. Have you implemented everything that you said that you would? Can you demonstrate that your teams have received privacy and security awareness training? Have you reviewed your Health Information Management Privacy and Security policies and procedures in the last two years?

Keeping up to date without any other significant changes to your practice may not trigger a Privacy Impact Assessment amendment. Make sure that you document your careful review so that you are prepared for your next Privacy Impact Assessment submission.

Important Business Decisions

Creating and reviewing your PIA regularly can help you to spot errors or gaps between the way that you do the work in the clinic and the way that you said that you were going to implement in your clinic.

The questions that we ask during the PIA process are important. The time that you take now to identify the potential risks and prevent those incidents from happening may save you time, money, reputation and even jail time in the future.

 

3 Options to Help you Create your Privacy Impact Assessment

DIY – Do It Yourself – The Privacy Impact Assessment course, Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments – A Complete Step-by-Step Course, Includes PIA templates, training sessions live and the replays, and access to me to ask your questions and receive feedback to help you get un-stuck.

DFY – Done For You – I prepare your Health Information Management Privacy and Security Manual policies and procedures and your Privacy Impact Assessment. You receive both paper and electronic copies of all the documents.

DWY – Done With You – a hybrid solution, you register for the on-line course and do the information gathering and preparation of your Privacy Impact Assessment submission with coaching from me in the course. I will also assist you to prepare the customized privacy and security policies and procedures, and resources as needed at an hourly consulting rate.

Find out more here: Privacy Impact Assessments or send me an email.

Build a Strong Privacy Management Program for Your Clinic with These 5 Critical Modules

Build a Strong Privacy Management Program for Your Clinic with These 5 Critical Modules

Build a Strong Privacy Management Program for Your Clinic With These 5 Critical Modules

Many privacy officers in small healthcare practices have other roles—as a clinic manager, healthcare provider, computer network technician, or business owner. It is little wonder that new privacy officers can feel overwhelmed when trying to balance these responsibilities every day.

But that’s not the end of the problem. It actually gets worse!

You could continue to –

😮 Panic when a patient asks for their information for access or correction.

😔 Scramble when new employees and healthcare providers join your clinic . . .and suddenly realize that you never got around to providing privacy and cybersecurity awareness training.

😯 Hope that your practice will not be tapped on the shoulder for a practice review by your college or the OIPC.

🤐 Ignore privacy breach and hope no one else notices.

😒 Avoid difficult decisions with your owners / staff who insist on doing things their way – even when it is not privacy compliant.

😞 Never get ‘review privacy impact assessment’ and ‘review privacy policies and procedures’ off of your to-do list.

😥 Avoid discussing privacy and security with your EMR and computer networks managed service providers because you are unsure of what questions to ask and what types of answers you should receive.

If you don’t have a written privacy management program and action plan, you are missing the systems to monitor routine tasks that will protect privacy and alert you to potential problems before they become privacy and security incidents.

Carrying out the duties of a Privacy Officer correctly is vital to ensure your organization is safe from the consequences of a big privacy breach.

But did you know that those organizations who have a privacy officer and a privacy management program are:

  • Less likely to have a privacy or security incident
  • Increased staff satisfaction
  • Increased patient satisfaction and outcomes

We Know That Privacy Is Good For Business

​We know that having policies, procedures, and systems in place will improve your privacy compliance in your organization and help you make good business decision.

When we have consistent practices in place, it improves communication and prevents a multitude of problems.

I’d like to share with you what I believe are the 5 critical modules of a privacy management program

The 5 Modules of a Strong Privacy Management Program for Your Clinic includes

  1. Know Your Obligations
  2. Train
  3. Privacy Breach Management
  4. Document
  5. Access and Disclosure

We expect organizations which collect, use, or disclose health information to have key components of a privacy accountability program. These include:

Every healthcare and private organization that is subject to privacy laws must comply with them. A comprehensive privacy management program provides an effective way for organizations to create a culture of privacy in their practice, practice accountability for the collection, use, disclosure, and access of personal information, and show compliance with regulations.

Module 1—Know your Obligations

​Key accountability for your privacy management program starts with your healthcare provider(s). These are also known as “custodians”. They are ultimately responsible for the privacy, confidentiality and security of personal health information (PHI).

The key healthcare provider—physician, dentist, chiropractor, nurse—can assign or delegate a key person who is accountable to the custodian to implement and monitor a privacy management program. This is often known as a privacy officer. In many smaller healthcare practices, the clinic manager or practice manager is also the privacy officer.

The business owner (who might also be the healthcare provider) also has obligations to follow the privacy laws as it relates to the privacy of personal information of employee, customers, and general business information.

The healthcare provider, business owner, and privacy officer form a ‘trifecta’ of authority and responsibility in your practice to ensure that you comply with privacy legislation, professional standards of practice, and contractual commitments.

Knowing your obligations includes clear authority and accountability in your practice, inventory of identifying information that you have in your practice, and understanding how privacy legislation guides your business. Your privacy officer and custodians may require training in these areas to better understand their obligations.

Module 2—Training for Privacy Awareness

​Training is an important component of your privacy management program. The privacy officer in your organization ensures that privacy awareness, cybersecurity, and privacy breach management are provided in your healthcare practice.

There should be both a formal and an informal training plan. A pre-planned privacy awareness training must be available for everyone in your organization, including new and seasoned professionals. It is critical that you can provide and document that everyone in your organization completed consistent common training.

We can provide informal training throughout the year. For example, have a standing agenda item during your staff meeting to do something consistently for everyone in the organization throughout the year. Leverage activities like Data Privacy Day, Change Your Password Month, Cybersecurity Awareness Week to provide a variety of content.

frequently missed trigger for additional training happens when an employee is promoted to a new position. This is a great opportunity for the privacy officer to meet with the employee and discuss their new role and how their responsibility, for example, of authorizing new users or supervising employees contributes to the confidentiality and security of PHI.

Remember to document who attended the training opportunities and keep copies of the training content to show your actions to protect privacy.

Listen to the podcast How To Keep Privacy Awareness Top Of Mind | Episode #093 for more tips and resources to help you plan training throughout the year.

Module 3 – Effective Privacy Breach Management

​Ensure that a written privacy breach management procedure is part of your overall privacy management program. The privacy officer will document your privacy breach management policies and procedures, sanctions policies and procedures, and train all employees to identify a privacy breach and report it to their supervisor. The privacy officer will manage a (suspected) privacy breach and ensure notification to their custodians, individuals affected by the breach, and others as needed.

The privacy officer will manage mandatory privacy breach notification requirements under the health privacy legislation like the Alberta Health Information Act (HIA), Ontario Personal Health and Information Protection Act (PHIPA) and the Personal Information Protection of Electronic Documents Act (PIPEDA) and other province’s legislation.

See Understanding a Privacy Breach for more tips.

Module 4—Documentation: The Backbone of Privacy Compliance

​I think most people in healthcare are familiar with the adage, “If it is not documented, it didn’t happen.” This applies to your privacy management program, too. Your program should include written:

  • Health Information Privacy and Security Policies, Procedures
  • Risk Assessment – Safeguards
  • Practical Privacy Review
  • Privacy Impact Assessment
  • Information Management Agreement
  • Information Sharing Agreement
  • Successor Custodian
  • Training plan

These actions will help you protect the PHI of your patients and your business. They help to demonstrate your compliance with your privacy and security obligations. Review and update these key documents annually.

See Privacy Impact Assessment for more tips.

Module 5 – Access and Disclosure: Ensuring Patient Rights

​When you collect PHI from patients and PI from employees and customers, you must ensure that they can access, correct, and authorize disclosure of their information.

Release of information (ROI) policies and procedures is a critical module of your privacy management program. Your privacy officer is tasked with ensuring that your ROI plan is written, understood, includes specific training to your employees, and follows legislated standards and professional college standards of practice. When you meet your ROI obligations, you avoid complaints and breaches, work efficiently, and improve the trust of your patients.

Struggling to Learn Your Role As A Privacy Officer On Your Own?

If you are a privacy officer in a healthcare practice who needs practical privacy management strategies to protect your patients and your healthcare business but aren’t sure how to get started, register for the Practical Privacy Officer Strategies training here.

The training starts on April 11, 2024.

Not sure if this is for you?

Send me an email and ask me! I’m happy to mentor you and help you assess your practice management and privacy compliance priorities.

Listen to the replay of my recent LinkedIn Live Event here.

 
Do You Want To Be A Confident Healthcare Privacy Officer?

Do You Want To Be A Confident Healthcare Privacy Officer?

 

Understanding the Role: What Is a Privacy Officer?

privacy officer is a key employee in a healthcare organization who is named by the healthcare provider (custodian) and assigned the responsibility to oversee all activities related to the implementation of, and adherence to, the organization’s privacy practices, and to ensure operational procedures are in compliance with relevant privacy laws. The Privacy Officer monitors employees and systems about how information is collected, used, and disclosed and access to identifying information.

A privacy officer may be known by other titles like privacy compliance officer or a security officer.

If your healthcare business involves the collection, use, and disclosure of your clients’ and patients’ personal health information, a privacy officer is necessary in order to meet legislated requirements.

Consequences of Operating Without a Privacy Officer

Healthcare practices without a privacy officer often experience confusion about how patients’ personal health information should be collected, used, and disclosed. Patients may complain about lack of access to their personal health information. Without a named privacy officer to assume the responsibility to implement and monitor reasonable administrative, technical, and physical safeguards you are more likely to experience privacy and security incidents, privacy breaches, investigations, fines, and charges under the privacy legislation!

Case Studies: Real-world Implications of Privacy Officer Absence

In 2019, the British Columbia Office of the Information and Privacy Commissioner (OIPC) conducted a privacy audit of 22 medical clinics. OIPC auditors examined 22 clinics and found gaps in privacy management programs at several clinics, including the absence of a designated privacy officer, a lack of funding and resources for privacy and a failure to ensure that privacy practices keep up with technological advances.

Here’s another example. A complaint was made against a medical clinic with an employee suspected of accessing health information for an unauthorized purpose. The Alberta OIPC investigated and revealed confusion around the roles and responsibilities of privacy compliance among the custodians and the privacy officer. The OIPC determined that the custodian was in contravention of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to the all of the custodian’s administrative, technical, and physical safeguards with respect to health information. 

Say No to Snooping: The Need for Privacy Enforcement

Employees are not aware of privacy requirements and engage in snooping into personal health information. Consequences of employee snooping include firing, charges under the Health Information Act and court ordered fines, jail time, probation, community service and more. 

say not so snooping animation of thief taking papers from folder

Roles and Responsibilities of a Healthcare Privacy Officer

So, what does a privacy officer do? The roles and responsibilities of a privacy officer in a typical healthcare practices include the following:

  • Identify privacy compliance issues for the business.
  • Ensure privacy and security policies and procedures are developed and keep them up to date.
  • Ensure that everyone working at your clinic and your vendors are aware of their privacy obligations.
  • Monitor your clinic’s ongoing compliance with privacy legislation like the Health Information Act (HIA) in Alberta.
  • Provide advice and interpretation of related legislation for the business.
  • Respond to requests for access and corrections to personal information.
  • Ensure the security and protection of personal information in the custody or control of the business.
  • Act as the primary point of privacy and access contact for staff, patients, vendors, regulators and other stakeholders.

Get the FREE Practice Management Success Tip, Privacy Officer Job Description Template.

 

 
Do You Need to Build a Privacy Awareness Training Plan in Your Healthcare Practice?

Do You Need to Build a Privacy Awareness Training Plan in Your Healthcare Practice?

One of the most frequent questions that I receive is “Jean, how often do we need to do privacy awareness training?”

Structured training should be available at least annually.  Just-in-time training and informal reminders can keep privacy top of mind year-round.

In the fast-paced world of healthcare, safeguarding patient privacy isn’t just a legal obligation—it’s a fundamental aspect of quality care delivery. However, ensuring that every staff member understands their role in maintaining confidentiality can be a complex challenge. This is where a robust privacy awareness training program comes into play.

When you have a written practical privacy awareness training plan, you will save clinic managers’ time, manage the risk of employee compliance, and motivate employees to become informed privacy advocates for your patients.

Not Just for New Employees

Privacy awareness training is more than a checklist when new employees are hired.

From receptionists to physicians, every member of a healthcare practice plays a pivotal role in protecting patient information. Contrary to common belief, privacy awareness training isn’t a onetime event; it’s an ongoing necessity. By conducting regular training sessions, staff members are kept up to date on regulations and best practices, which helps to prevent compliance breaches.

As an employer and health care provider, you are responsible for providing regular training to all your employees about privacy awareness.

The Vital Role of the Privacy Officer

The privacy officer spearheads the planning, implementation, and monitoring of privacy training initiatives. Their active involvement is crucial in protecting the organization from legal and reputational risks, through facilitating sessions and ensuring policy compliance.

Mitigating Risks and Ensuring Compliance

Without adequate training, healthcare providers face increased risks of privacy breaches. Ignorance of policies and procedures is not an excuse in the eyes of the law. Organizations that neglect privacy awareness training not only jeopardize patient trust but also expose themselves to severe penalties.

Protect Your Organization and Your Patients

Equip your staff with the information they need to confidently and correctly handle personal health information. Healthcare businesses who want employee and supervisor level privacy awareness training to support key policies, procedures and risk management programs need a privacy awareness training program.

Crafting Your Comprehensive Training Plan

Crafting an effective privacy awareness training plan need not be overwhelming. That’s why we’re excited to offer a **60-minute free webinar** designed specifically for clinic managers and privacy officers. In this webinar, you’ll learn how to design and implement a year-round training plan tailored to your practice’s needs.

Webinar Highlights

  • Practical strategies for developing a comprehensive training plan
  • Real-life scenarios and best practices for mitigating privacy risks
  • Tips for managing staff members who may struggle to grasp privacy concepts
  • Resources to kick-start your training initiatives immediately

 

Don’t miss this opportunity to elevate privacy standards within your healthcare practice. Register now for our **free 60-minute webinar** and equip your team with the knowledge and skills to safeguard patient confidentiality effectively.

When you invest in training, medical clinics show their commitment to protecting patient privacy and upholding the highest standards of professionalism. Join us for our upcoming webinar and take the first step towards fostering a culture of privacy excellence in your practice.

 

Build a Privacy Awareness Training Plan for Your Healthcare Practice

Oops, you missed the live training event.

But don’t worry! This replay is available as a ‘Webinar on Demand’ in your Practice Management Success membership.

Not a member, yet?

What are you waiting for?

Click here to start your membership today and watch this training webinar right away!

 

This Webinar Includes

  • Live on-line training
  • Q&A with Jean Eaton, Your Practical Privacy Coach when you join the webinar live
  • Access to the replay for a limited time
  • Learning Resources Guide
  • Training Plan Template
privacy awareness training plan image
Data Privacy Day 2024 Events and Resources For You!

Data Privacy Day 2024 Events and Resources For You!

Data Privacy Day 2024 Events and Resources for You!

Data Privacy Day is an internationally recognized day dedicated to creating awareness about the importance of privacy and protecting personal information.

That means a lot to me and I think it means a lot to you, too. I think it is important that we give our patients and clients the gift of privacy. And that we have the right tools and resources for our employees to make good privacy and security decisions in our businesses.

Information Managers Ltd. is a Data Privacy Champion!

Data Privacy Week Champion badge 2024
As a DPD Champion, Information Managers recognizes and supports the principle that organizations, businesses, and government all share the responsibility to be conscientious stewards of data by respecting privacy, safeguarding data, and enabling trust.
Each of us is responsible to manage our name and our identity. When you share your personal information, you have the right and responsibility to ask the person or business why they need the information and how they will protect your personal information.
Jean L. Eaton

Your Practical Privacy Coach, Information Managers Ltd.

Data Privacy Day Pop-Up Privacy Chats on

LinkedIn Live

Friday, January 26, 2024

 

 

Data Privacy Day 2024 Champion bdge

🔒 Join Us for Privacy Chat Pop-Up on LinkedIn Live Event! 🔒

In celebration of Data Privacy Day, we invite you to an engaging and insightful Privacy Chat Pop-Up on LinkedIn Live. Mark your calendars for Friday, January 26, 2024, as we bring together experts to share valuable insights and practical tips for safeguarding personal information and enhancing privacy practices in your small business.

🗣 Event Highlights:

Friday, January 26, 2024 0900-1600

Pop in for 15 minute segments throughout the day!

Add your comments and join the conversation!

Free to attend!

🎙 Live on LinkedIn:

Visit our Information Managers business page on LinkedIn to catch the privacy chats live or enjoy replays at your convenience!

https://www.linkedin.com/company/information-managers-ca/

 

👥 Guest Speakers:

 

💡 Agenda:

  • Privacy vs Confidentiality
  • Cross Border Data Transfers
  • Know Your Data
  • Website Privacy Statements
  • Emerging Privacy Legislation
  • Tips to Select Your Canadian Practice Management Software
  • Privacy Tips for Parents
  • 6 Steps To Small Business Privacy Compliance
  • Plan Privacy Awareness Education for Your Team

 

🤝 Why Attend?

  • Gain practical privacy tips for immediate implementation
  • Equip your business with the right tools for privacy and security decisions
  • Elevate awareness about the importance of data privacy in your professional community

 

Data privacy is not just a buzzword; it’s a commitment to ensuring the security of personal information. Together, let’s empower ourselves, our clients, and our employees to make informed decisions in the realm of privacy.

 

🔗 Event Link:

 https://www.linkedin.com/company/information-managers-ca/

Sign into your LinkedIn account

Navigate to Information Managers Ltd page

Select the Pop-Up Chat to Join us Live!

📅 Save the Date and Let’s Chat Privacy!

 

#DataPrivacyWeek #PrivacyChat #SmallBusinessPrivacy #DataPrivacyDay #LinkedInLiveEvent #Healthcare #medical #dental #therapists

Data Privacy Day Resources

5 Steps To Prevent Employee Snooping

SAY NO TO SNOOPING!

If an individual affiliate knowingly breaches the privacy and security of health information, and the custodian can demonstrate that reasonable safeguards (including privacy awareness training) were in place, the individual affiliate can be charged under the Health Information Act. Fines of up to $50,000 may be applied to the individual, in addition to other sanctions from their employers and/or their professional regulatory colleges where applicable (HIA s.107).

What Is Snooping?

Looking at someone’s personal information without having an authorized purpose to access that information to do your job is known as ‘snooping’.

Even when you are “just looking” at personal information but don’t share that information with anyone else, this is still a privacy breach.

It is illegal.

Snooping incidents are on the rise and can cost you time, money, heartache, and headache in your practice.

When there is an offence under the privacy legislation like the Health Information Act, there may be an investigation, charges and court appearances, fines, penalties, and loss of employment.

Snooping is entirely preventable.

How Can You Prevent Employee Snooping?

Let’s take a look at the pro-active steps that you can take today to prevent employee snooping.

 

prevent employee snooping

Download the Practice Management Success Tip 5 Steps to Prevent Employee Snooping

The Practice Management Success Tip, 5 Steps to Prevent Employee Snooping, will help you

  • Take 5 practical steps to prevent employee snooping.
  • Provide clarity about what is considered a privacy breach.
  • Contribute to the health information privacy compliance in your healthcare practice.

Protect Your Organization and Your Patients With a Privacy Awareness Quiz

Equip your staff with the information they need to confidently and correctly handle personal health information.

Healthcare businesses need privacy awareness training to support key policies and procedures, and risk management programs need a privacy awareness training program.

Reasonable Safeguards

As an employer and healthcare provider, you are responsible to provide training to all of your employees about privacy awareness.

If you don’t provide the training, or if the employees don’t understand the policies and there is a privacy breach, then the healthcare provider is more likely to be held accountable under the legislation and face penalties, including fines and even prison!

Patients value the privacy and security of their information.

Healthcare providers and clinic managers value privacy and security, and they value not having adverse results as a lack of compliance or patient safety issues.

Data Privacy Day Privacy Awareness Quiz

Patients trust their healthcare providers with their sensitive, personal, and financial information.

If patients don’t feel that the healthcare provider will keep their information confidential and secure, patients may choose not to share their information, which may impact their healthcare and treatment.

When we are privacy aware, we can better respond to patients’ questions and build their trust in the quality of services that we provide.

Download the Privacy Awareness Quiz to use today to train your employees and protect your patients’ health information.

Online Legal Essentials Review

Online Legal Essentials Review

Online Legal Essentials Helps Canadian Entrepreneurs move from Overwhelm to Legal Easy!

Do you have a small business in Canada?

Then you need customizable templates to help you set up your business, operate your bricks and mortar local business or your online business!

Corrine Boudreau of Online Legal Essentials can help you!

Corinne has developed guided legal templates for Canadians doing business online.

Corinne has a knack for making things practical and easy to implement.  Being a lawyer since 2002 has given her perspective and experience to boil things down to the essentials.

You know that I love templates – and tips, tools, and training to make it easy!

Corinne delivers this for you!

 

Online legal essentials review
Online Legal Essentials Library Canadian Templates

Not Sure What Legal Documents You Need for Your Business?

Many healthcare providers are excited to open their first independent practice but have many questions about how to build a legal foundation for their practice.

The Ultimate Business Checklist will help you

  • Build a legal foundation for your healthcare business
  • Portray a professional appearance to your patients and clients
  • Guide you to make good decisions in the right order without missing steps

Grab the FREE Checklist from Online Legal Essentials

 

Ultimate Business Checklist

Do You Have a Website for Your Healthcare Practice?

Well then, you are required by law to have a Privacy Policy on it.

Online Legal Essentials is here to help you with a simple, easy to complete Privacy Policy (with Canadian PIPEDA and EU GDPR provisions).

You will also find in this program the following templates to protect your business online:

– Copyright Notices

– Website Legal Disclaimers

– Website Terms of Use

Videos and easy-to-use templates will have these tasks checked off your to-do list in no time!

Check out the Website Legal Essentials templates!

Roadmap for Healthcare Providers

Corinne Boudreau and I believe in the power of education and templates to help healthcare providers start profitable businesses in Canada.

When you register for this free on-demand webinar, you get access to the Roadmap guide and the Roadmap Timeline google sheet to help you with your project management for your business.

Make sure to check out the legal templates from Corinne–ideal to help you prepare the Canada specific legal documents for your new business. 

Are You Hiring Employees?

Make sure your contract terms are clear when you are hiring people for your business. 

 
The Legal Hiring Template Pack provides the necessary information and contract templates to help you start your new hires on the right foot.  
 

So Much MORE!

Corinne Boudreau has created so many more Canadian legal templates to help you in your business. 

Check out these titles, too!

Online Legal Essentials Templates

Lady in business suit Jean Eaton

“When we know better, we can we do better.”

I help healthcare practices with practical tips, tools, templates and training to help you in your career and help you to start, grow, or fix the business of a healthcare practice.

Affiliate Compensation: From time to time, I promote, endorse, or suggest products or services of others. In most cases, I will be compensated – either as an affiliate with a commission based on sales, or with a free product to review or use. My recommendations are always based on (i) my personal belief in the high quality and value of the product or service, and (ii) my review of the product or service, or a prior relationship or positive experience with the sponsoring person or organization.

Jean L. Eaton, Your Practical Privacy Coach with Information Managers Ltd.

Small Business Tech Day

Small Business Tech Day

Click on the >> Arrow above and watch the short (5 min) video to watch my 6 steps to help you right away!

The Privacy Playbook: 6 Steps to Small Business Privacy Compliance

I’m Jean L. Eaton, your Practical Privacy Coach and Practice Management Mentor. I help healthcare providers and clinic managers implement privacy best practices, like pulling together the right forms and paperwork to use with their employees and patients and implementing privacy best practices.

Whether it’s improving privacy workflow, understanding the impact of breaches, working with privacy legislation, privacy impact assessments, or mentoring privacy practices among staff, I make privacy in healthcare simple and straightforward.

I have found that when small business use these 6 steps to small business privacy compliance:

  • your privacy management program operates smoothly every month
  • you avoid nasty privacy and security incidents
  • your business operates more efficiently

When you focus on proper privacy and security practices, compliance falls into place.

Information Managers Is Proud to be an Official Partner of the Small Business Tech Day.

To access more replays recorded on November 16, 2023, 

Register here! It’s FREE!

 

How To Use Current Technology To Maximize Productivity And Profits In Your Business While Staying Protected And Secure

Small businesses must be nimble to prevent cybersecurity crime and continue to boost profitability and productivity. Technology automation and AI can help–when you implement wisely.

We can help you with that!

This Free Online Event Features Speakers Shark Tank’s Robert Herjavec, Co-Founder Of Siri Adam Cheyer And Best-Selling Author And Entrepreneur Extraordinaire Mike Michalowicz.

Solid Technology Solutions has been named as the official host of Edmonton Small Business Tech Day happening on November 16th.

This online event is designed to help small businesses navigate the future of technology, especially with the recent emergence of AI.

We’ll ensure you are equipped with the best advice from these world-renowned experts when it comes to changes in your day-to-day business.

Featuring well-known business leaders, tech experts and leading minds showing small businesses how to compete and succeed in many aspects of their business with a concentration on utilizing technology to be productive, profitable, and protected.

Learn how to maximize productivity, profits, and security in your business!

Discover cutting-edge technologies in these presentations that can streamline your business operations, saving you time and increasing overall efficiency.

“A Shark’s-Eye View Of The Future Of Small Business Tech” with Robert Herjavec

Shark Tank Celebrity Robert Herjavec will discuss the distinct differences between businesses losing money and those that are becoming more profitable and growing.

“New Business Protections You Need In Place NOW To Safeguard Your Assets” with Grant Dakin

Roughly 61% of all SMBs were the target of at least one cyber-attack in the past few years, which can equal hundreds of thousands of dollars in lost revenue. It’s no longer a question of IF you’ll get hacked, but WHEN. Millions of organizations are being held hostage by cybercriminals and hackers. During this session, you’ll get actionable steps to take to proactively protect your business from lost profits and irreparable reputational damage.

“The Good, The Bad, And The Ugly Of AI In Small Business” with Adam Cheyer

Your business needs to be prepared for current programs and technology and what’s on track to possibly disrupt it further.

“How To Get Your Business To Run On Its Own” with Mike Michalowicz

You can have the freedom to take a vacation or some well-deserved time off.

“The Privacy Playbook: 6 Steps to Small Business Privacy Compliance” with Jean L. Eaton

When you focus on proper privacy and security practices, compliance falls into place. Grab my 6 steps to help you right away.

Solid Technology Solutions is Your Proud Host

Solid Technology Solutions helps small businesses equip themselves with the best technology and practices available today to increase productivity and profitability and protect them against online threats.

Get your no-cost invitation!

Information Managers Is Proud to be an Official Partner of the Small Business Tech Day

Information Managers Partner image

No matter what happens with the economy, there are strategies you can use to keep growing profitably while keeping your business secure.

Today you can get these strategies when you join us at https://www.solidtech.ca/tech-week-2023-videos/.

Think Like a Hacker: Safeguarding Your Business in the Digital Age

Think Like a Hacker: Safeguarding Your Business in the Digital Age

I’m tickled pink to be a member of the discussion panel at

‘Think Like a Hacker: Safeguarding Your Business in the Digital Age’

Cyber Crime is Climbing in Healthcare

The rise of cybercrime in healthcare is alarming.

“The Healthcare vertical is highly targeted by ransomware gangs, which results in both the loss of use of their systems—potentially with life-threatening consequences—as well as data breaches.” 

Verizon 2023 Data Breach Investigations Report (DBIR)

Accurate Networks and Armour Insurance Help You To Prevent Cyber Crime

‘Think Like a Hacker: Safeguarding Your Business in the Digital Age’ event is sponsored by Accurate Network Services and Armour Insurance.

Cybercrime, hacking, and privacy breaches are the biggest risks facing any organization today. Regardless of your size or industry—you are a target.

Think Like a Hacker to Protect Your Practice

Constable Jon Cook, an RCMP Cybercrimes Investigator, will share his experience from the front lines of this new frontier of cybercrime. Find out how hackers use social engineering and other common hacking methods that threaten your practice. Use these examples to identify potential weak spots and risk in your healthcare practice.

Safeguard Personal Health Information and Your Business

Join us for an interactive Q&A session with industry experts in Medical, Privacy, Insurance, IT, and Law Enforcement. We will answer your questions and offer you practical advice on how to protect against cyber risks.

I’ll be there to discuss privacy compliance and safeguards that you can take to prevent hackers in your medical or dental practice.

Stay and mingle with other attendees while enjoying complimentary appetizers and drinks at the historic Bell in Scona.

Don’t wait until it’s too late!

Join me at ‘Think Like a Hacker: Safeguarding Your Business in the Digital Age’ on Sept 27, 2023, in Edmonton.

Let’s tackle cyber threats in healthcare together!

#CyberSecurity #Healthcare

Get your no-cost invitation!