Online Legal Essentials Review

Online Legal Essentials Review

Online Legal Essentials Helps Canadian Entrepreneurs move from Overwhelm to Legal Easy!

Do you have a small business in Canada?

Then you need customizable templates to help you set up your business, operate your bricks and mortar local business or your online business!

Corrine Boudreau of Online Legal Essentials can help you!

Corinne has developed guided legal templates for Canadians doing business online.

Corinne has a knack for making things practical and easy to implement.  Being a lawyer since 2002 has given her perspective and experience to boil things down to the essentials.

You know that I love templates – and tips, tools, and training to make it easy!

Corinne delivers this for you!


online legal essentials Corinne Boudreau image of lady with a judge's gavel

Black Friday Special!

Black Friday Sale 30% off legal template packs (except the Canadian Online Legal Template Library).

Remember to use the Coupon Code BFRI30!

Hurry! This offer goes away on  Friday, December 1st.

Online Legal Essentials Library Canadian Templates

Not Sure What Legal Documents You Need for Your Business?

Many healthcare providers are excited to open their first independent practice but have many questions about how to build a legal foundation for their practice.

The Ultimate Business Checklist will help you

  • Build a legal foundation for your healthcare business
  • Portray a professional appearance to your patients and clients
  • Guide you to make good decisions in the right order without missing steps

Grab the FREE Checklist from Online Legal Essentials


Ultimate Business Checklist

Do You Have a Website for Your Healthcare Practice?

Well then, you are required by law to have a Privacy Policy on it.

Online Legal Essentials is here to help you with a simple, easy to complete Privacy Policy (with Canadian PIPEDA and EU GDPR provisions).

You will also find in this program the following templates to protect your business online:

– Copyright Notices

– Website Legal Disclaimers

– Website Terms of Use

Videos and easy-to-use templates will have these tasks checked off your to-do list in no time!

Check out the Website Legal Essentials templates!

Roadmap for Healthcare Providers

Corinne Boudreau and I believe in the power of education and templates to help healthcare providers start profitable businesses in Canada.

When you register for this free on-demand webinar, you get access to the Roadmap guide and the Roadmap Timeline google sheet to help you with your project management for your business.

Make sure to check out the legal templates from Corinne–ideal to help you prepare the Canada specific legal documents for your new business. 

Are You Hiring Employees?

Make sure your contract terms are clear when you are hiring people for your business. 

The Legal Hiring Template Pack provides the necessary information and contract templates to help you start your new hires on the right foot.  

So Much MORE!

Corinne Boudreau has created so many more Canadian legal templates to help you in your business. 

Check out these titles, too!

Online Legal Essentials Templates

Lady in business suit Jean Eaton

“When we know better, we can we do better.”

I help healthcare practices with practical tips, tools, templates and training to help you in your career and help you to start, grow, or fix the business of a healthcare practice.

Affiliate Compensation: From time to time, I promote, endorse, or suggest products or services of others. In most cases, I will be compensated – either as an affiliate with a commission based on sales, or with a free product to review or use. My recommendations are always based on (i) my personal belief in the high quality and value of the product or service, and (ii) my review of the product or service, or a prior relationship or positive experience with the sponsoring person or organization.

Jean L. Eaton, Your Practical Privacy Coach with Information Managers Ltd.

Small Business Tech Day

Small Business Tech Day

How To Use Current Technology To Maximize Productivity And Profits In Your Business While Staying Protected And Secure

Small businesses must be nimble to prevent cybersecurity crime and continue to boost profitability and productivity. Technology automation and AI can help–when you implement wisely.

We can help you with that!

This Free Online Event Features Speakers Shark Tank’s Robert Herjavec, Co-Founder Of Siri Adam Cheyer And Best-Selling Author And Entrepreneur Extraordinaire Mike Michalowicz.

Solid Technology Solutions has been named as the official host of Edmonton Small Business Tech Day happening on November 16th.

This online event is designed to help small businesses navigate the future of technology, especially with the recent emergence of AI.

We’ll ensure you are equipped with the best advice from these world-renowned experts when it comes to changes in your day-to-day business.

Featuring well-known business leaders, tech experts and leading minds showing small businesses how to compete and succeed in many aspects of their business with a concentration on utilizing technology to be productive, profitable, and protected.

Learn how to maximize productivity, profits, and security in your business!

Discover cutting-edge technologies in these presentations that can streamline your business operations, saving you time and increasing overall efficiency.

“A Shark’s-Eye View Of The Future Of Small Business Tech” with Robert Herjavec

Shark Tank Celebrity Robert Herjavec will discuss the distinct differences between businesses losing money and those that are becoming more profitable and growing.

“New Business Protections You Need In Place NOW To Safeguard Your Assets” with Grant Dakin

Roughly 61% of all SMBs were the target of at least one cyber-attack in the past few years, which can equal hundreds of thousands of dollars in lost revenue. It’s no longer a question of IF you’ll get hacked, but WHEN. Millions of organizations are being held hostage by cybercriminals and hackers. During this session, you’ll get actionable steps to take to proactively protect your business from lost profits and irreparable reputational damage.

“The Good, The Bad, And The Ugly Of AI In Small Business” with Adam Cheyer

Your business needs to be prepared for current programs and technology and what’s on track to possibly disrupt it further.

“How To Get Your Business To Run On Its Own” with Mike Michalowicz

You can have the freedom to take a vacation or some well-deserved time off.

“The Privacy Playbook: 6 Steps to Small Business Privacy Compliance” with Jean L. Eaton

When you focus on proper privacy and security practices, compliance falls into place. Grab my 6 steps to help you right away.

Solid Technology Solutions is Your Proud Host

Solid Technology Solutions helps small businesses equip themselves with the best technology and practices available today to increase productivity and profitability and protect them against online threats.

Solid Tech is proudly hosting this FREE online event on Nov 16, 2023.

Get your no-cost invitation!

Information Managers Is Proud to be an Official Partner of the Small Business Tech Day

Information Managers Partner image

Join me at the Small Business Technology Day on November 16, 2023.

Registration is limited so act now!

Get your no-cost invitation!

Think Like a Hacker: Safeguarding Your Business in the Digital Age

Think Like a Hacker: Safeguarding Your Business in the Digital Age

I’m tickled pink to be a member of the discussion panel at

‘Think Like a Hacker: Safeguarding Your Business in the Digital Age’

Cyber Crime is Climbing in Healthcare

The rise of cybercrime in healthcare is alarming.

“The Healthcare vertical is highly targeted by ransomware gangs, which results in both the loss of use of their systems—potentially with life-threatening consequences—as well as data breaches.” 

Verizon 2023 Data Breach Investigations Report (DBIR)

Accurate Networks and Armour Insurance Help You To Prevent Cyber Crime

‘Think Like a Hacker: Safeguarding Your Business in the Digital Age’ event is sponsored by Accurate Network Services and Armour Insurance.

Cybercrime, hacking, and privacy breaches are the biggest risks facing any organization today. Regardless of your size or industry—you are a target.

Think Like a Hacker to Protect Your Practice

Constable Jon Cook, an RCMP Cybercrimes Investigator, will share his experience from the front lines of this new frontier of cybercrime. Find out how hackers use social engineering and other common hacking methods that threaten your practice. Use these examples to identify potential weak spots and risk in your healthcare practice.

Safeguard Personal Health Information and Your Business

Join us for an interactive Q&A session with industry experts in Medical, Privacy, Insurance, IT, and Law Enforcement. We will answer your questions and offer you practical advice on how to protect against cyber risks.

I’ll be there to discuss privacy compliance and safeguards that you can take to prevent hackers in your medical or dental practice.

Stay and mingle with other attendees while enjoying complimentary appetizers and drinks at the historic Bell in Scona.

Don’t wait until it’s too late!

Join me at ‘Think Like a Hacker: Safeguarding Your Business in the Digital Age’ on Sept 27, 2023, in Edmonton.

Let’s tackle cyber threats in healthcare together!

#CyberSecurity #Healthcare

Get your no-cost invitation!

Do You Want To Be A Confident Healthcare Privacy Officer?

Do You Want To Be A Confident Healthcare Privacy Officer?

What Is a Privacy Officer?

privacy officer is a key employee in a healthcare organization who is named by the healthcare provider (custodian) and assigned the responsibility to oversee all activities related to the implementation of, and adherence to, the organization’s privacy practices, and to ensure operational procedures are in compliance with relevant privacy laws. The Privacy Officer monitors employees and systems about how information is collected, used, and disclosed and access to identifying information.

A privacy officer may be known by other titles like privacy compliance officer or a security officer.

If your healthcare business involves the collection, use, and disclosure of your clients’ and patients’ personal health information, a privacy officer is necessary in order to meet legislated requirements.

If You Don’t Have a Privacy Officer

Healthcare practices without a privacy officer often experience confusion about how patients’ personal health information should be collected, used, and disclosed. Patients may complain about lack of access to their personal health information. Without a named privacy officer to assume the responsibility to implement and monitor reasonable administrative, technical, and physical safeguards you are more likely to experience privacy and security incidents, privacy breaches, investigations, fines, and charges under the privacy legislation!

Here are some examples of what can happen if you don’t have a privacy officer:

  • In 2019, the British Columbia Office of the Information and Privacy Commissioner (OIPC) conducted a privacy audit of 22 medical clinics. OIPC auditors examined 22 clinics and found gaps in privacy management programs at several clinics, including the absence of a designated privacy officer, a lack of funding and resources for privacy and a failure to ensure that privacy practices keep up with technological advances.
  • A complaint was made against a medical clinic with an employee suspected of accessing health information for an unauthorized purpose. The Alberta OIPC investigated and revealed confusion around the roles and responsibilities of privacy compliance among the custodians and the privacy officer. The OIPC determined that the custodian was in contravention of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to the all of the custodian’s administrative, technical, and physical safeguards with respect to health information. (See Do You Know Where Your Policies and Procedures Are?)
  • Employees are not aware of privacy requirements and engage in snooping into personal health information. Consequences of employee snooping include firing, charges under the Health Information Act and court ordered fines, jail time, probation, community service and more. (See Snooping Conviction Earns 3 Years Probation )
Say No to Snooping

Roles and Responsibilities

So, what does a privacy officer do? The roles and responsibilities of a privacy officer in a typical healthcare practices include the following:

  • Identify privacy compliance issues for the business.
  • Ensure privacy and security policies and procedures are developed and keep them up to date.
  • Ensure that everyone working at your clinic and your vendors are aware of their privacy obligations.
  • Monitor your clinic’s ongoing compliance with privacy legislation like the Health Information Act (HIA) in Alberta.
  • Provide advice and interpretation of related legislation for the business.
  • Respond to requests for access and corrections to personal information.
  • Ensure the security and protection of personal information in the custody or control of the business.
  • Act as the primary point of privacy and access contact for staff, patients, vendors, regulators and other stakeholders.

Get the FREE Practice Management Success Tip, Privacy Officer Job Description Template.


Build a Strong Privacy Management Program for Your Clinic with These 5 Critical Modules

Build a Strong Privacy Management Program for Your Clinic with These 5 Critical Modules

Build a Strong Privacy Management Program for Your Clinic With These 5 Critical Modules

Many privacy officers in small healthcare practices have other roles—as a clinic manager, healthcare provider, computer network technician, or business owner. It is little wonder that new privacy officers can feel overwhelmed when trying to balance these responsibilities every day.

But that’s not the end of the problem. It actually gets worse!

You could continue to –

😮 Panic when a patient asks for their information for access or correction.

😔 Scramble when new employees and healthcare providers join your clinic . . .and suddenly realize that you never got around to providing privacy and cybersecurity awareness training.

😯 Hope that your practice will not be tapped on the shoulder for a practice review by your college or the OIPC.

🤐 Ignore privacy breach and hope no one else notices.

😒 Avoid difficult decisions with your owners / staff who insist on doing things their way – even when it is not privacy compliant.

😞 Never get ‘review privacy impact assessment’ and ‘review privacy policies and procedures’ off of your to-do list.

😥 Avoid discussing privacy and security with your EMR and computer networks managed service providers because you are unsure of what questions to ask and what types of answers you should receive.

If you don’t have a written privacy management program and action plan, you are missing the systems to monitor routine tasks that will protect privacy and alert you to potential problems before they become privacy and security incidents.

Carrying out the duties of a Privacy Officer correctly is vital to ensure your organization is safe from the consequences of a big privacy breach.

But did you know that those organizations who have a privacy officer and a privacy management program are:

  • Less likely to have a privacy or security incident
  • Increased staff satisfaction
  • Increased patient satisfaction and outcomes

We Know That Privacy Is Good For Business

​We know that having policies, procedures, and systems in place will improve your privacy compliance in your organization and help you make good business decision.

When we have consistent practices in place, it improves communication and prevents a multitude of problems.

I’d like to share with you what I believe are the 5 critical modules of a privacy management program

The 5 Modules of a Strong Privacy Management Program for Your Clinic includes

  1. Know Your Obligations
  2. Train
  3. Privacy Breach Management
  4. Document
  5. Access and Disclosure

We expect organizations which collect, use, or disclose health information to have key components of a privacy accountability program. These include:

Every healthcare and private organization that is subject to privacy laws must comply with them. A comprehensive privacy management program provides an effective way for organizations to create a culture of privacy in their practice, practice accountability for the collection, use, disclosure, and access of personal information, and show compliance with regulations.

Module 1—Know your Obligations

​Key accountability for your privacy management program starts with your healthcare provider(s). These are also known as “custodians”. They are ultimately responsible for the privacy, confidentiality and security of personal health information (PHI).

The key healthcare provider—physician, dentist, chiropractor, nurse—can assign or delegate a key person who is accountable to the custodian to implement and monitor a privacy management program. This is often known as a privacy officer. In many smaller healthcare practices, the clinic manager or practice manager is also the privacy officer.

The business owner (who might also be the healthcare provider) also has obligations to follow the privacy laws as it relates to the privacy of personal information of employee, customers, and general business information.

The healthcare provider, business owner, and privacy officer form a ‘trifecta’ of authority and responsibility in your practice to ensure that you comply with privacy legislation, professional standards of practice, and contractual commitments.

Knowing your obligations includes clear authority and accountability in your practice, identifying what identifying information that you have in your practice, and understanding how privacy legislation guides your business. Your privacy officer and custodians may require training in these areas to better understand their obligations.

Module 2—Training

​Training is an important component of your privacy management program. The privacy officer in your organization ensures that privacy awareness, cybersecurity, and privacy breach management are provided in your healthcare practice.

There should be both a formal and an informal training plan. A pre-planned privacy awareness training must be available for everyone in your organization, including new and seasoned professionals. It is critical that you can provide and document that everyone in your organization completed consistent common training.

We can provide informal training throughout the year. For example, have a standing agenda item during your staff meeting to do something consistently for everyone in the organization throughout the year. Leverage activities like Data Privacy Day, Change Your Password Month, Cybersecurity Awareness Week to provide a variety of content.

frequently missed trigger for additional training happens when an employee is promoted to a new position. This is a great opportunity for the privacy officer to meet with the employee and discuss their new role and how their responsibility, for example, of authorizing new users or supervising employees contributes to the confidentiality and security of PHI.

Remember to document who attended the training opportunities and keep copies of the training content to show your actions to protect privacy.

Listen to the podcast How To Keep Privacy Awareness Top Of Mind | Episode #093 for more tips and resources to help you plan training throughout the year.

Module 3 – Privacy Breach Management Plan

​Ensure that a written privacy breach management procedure is part of your overall privacy management program. The privacy officer will document your privacy breach management policies and procedures, sanctions policies and procedures, and train all employees to identify a privacy breach and report it to their supervisor. The privacy officer will manage a (suspected) privacy breach and ensure notification to their custodians, individuals affected by the breach, and others as needed.

The privacy officer will manage mandatory privacy breach notification requirements under the health privacy legislation like the Alberta Health Information Act (HIA), Ontario Personal Health and Information Protection Act (PHIPA) and the Personal Information Protection of Electronic Documents Act (PIPEDA) and other province’s legislation.

See Understanding a Privacy Breach for more tips.

Module 4—Document

​I think most people in healthcare are familiar with the adage, “If it is not documented, it didn’t happen.” This applies to your privacy management program, too. Your program should include written:

  • Health Information Privacy and Security Policies, Procedures
  • Risk Assessment – Safeguards
  • Practical Privacy Review
  • Privacy Impact Assessment
  • Information Management Agreement
  • Information Sharing Agreement
  • Successor Custodian
  • Training plan

These actions will help you protect the PHI of your patients and your business. They help to demonstrate your compliance with your privacy and security obligations. Review and update these key documents annually.

See Privacy Impact Assessment for more tips.

Module 5 – Access and Disclosure

​When you collect PHI from patients and PI from employees and customers, you must ensure that they can access, correct, and authorize disclosure of their information.

Release of information (ROI) policies and procedures is a critical module of your privacy management program. Your privacy officer is tasked with ensuring that your ROI plan is written, understood, includes specific training to your employees, and follows legislated standards and professional college standards of practice. When you meet your ROI obligations, you avoid complaints and breaches, work efficiently, and improve the trust of your patients.

Struggling to Learn Your Role As A Privacy Officer On Your Own?

If you are a privacy officer in a healthcare practice who needs practical privacy management strategies to protect your patients and your healthcare business but aren’t sure how to get started, register for the Practical Privacy Officer Strategies training here.

The training starts on September 26, 2023.

Not sure if this is for you?

Send me an email and ask me! I’m happy to mentor you and help you assess your practice management and privacy compliance priorities.

Listen to the replay of my recent LinkedIn Live Event here.

5 Strategies for Writing Engaging Social Media Posts for your Practice with Guest Expert Kayla Das

5 Strategies for Writing Engaging Social Media Posts for your Practice with Guest Expert Kayla Das

Strategies for Writing Engaging Social Media Posts for your Practice with Guest Expert Kayla Das

Are you a new clinic owner and wondering if social media marketing is for you?

Maybe you have been dabbling into social media marketing but now you are feeling overwhelmed?

Or, maybe you have an established social media presence but you want to learn new ways to get social media engagement.

In this Episode #109 of the Practice Management Nuggets Podcast For Your Healthcare Practice, guest expert Kayla Das of Evaspare Inc. provides 5 strategies for writing engaging social media posts for your practice!

Why Is Using Social Media Important?

​Kayla Das believes that the purpose of social media marketing is to inspire, entertain and to give more than you try to sell.

People are on social media because they want to be taken away temporarily from their day so they are much more likely to click on things that inspire, entertain or provide them some type of guidance and support.

After they gain trust with what you have to say you’ll be the first person they think of when they need professional support.

Interview Right to Hire Right Nelson Scott #1 Tip
Interview Right to Hire Right Nelson Scott #1 Tip

Kayla’s #1 Tip

​“My number #1 tip for clinic managers about social media marketing is when you are starting out is to start small. Choose only one or two social media platforms. You do not need to be on every social media platform to get engagement. Start with a social media platform that you are familiar with and that you believe that your ideal client uses.” – Kayla Das

Listen To The Podcast

5 Strategies for Writing Engaging Social Media Posts for your Practice | Episode #109

Listen to the Practice Management Nuggets for Your Healthcare Practice podcast. Get practical practice management, and privacy tips to help you start, grow, and improve your healthcare practice. If you are a clinic manager, team lead, healthcare provider or practice owner, these practical tips will save you time and money.

I help you manage the pink elephant in the room.

Listen here: Practice Management Nuggets Podcast

social media engagement for healthcare providers Kayla Das contact
engaging social media templates Kayla Das

Featured Guest: Kayla Das, Evaspare Inc.

Kayla Das is a Social Worker and Business Coach for therapists and coaches. Kayla works with therapists to:

  • create a strong private practice foundation based on values;
  • develop marketing strategies that are authentic and generate profits; and
  • establish business systems and processes that are designed for practice sustainability.

Would you like more social media and business strategy tips from Kayla?

Pop over to the podcast show notes here to listen to the podcast!

Be sure to grab Kayla’s gift to help you create engaging social media images.

You may also be interested in:

Social media is about creating a strong digital presence and building relationships – with your clients, with employees and new recruits, and with other colleagues and allies in your field.

If you decide to use social media in your business, you need clear rules about who will authorize messages. You also need a strong social media policy to provide direction and education to your employees about what they can – and can’t – say on-line.

Social Media Practice Management Success Tip – Social media policies, procedures templates to help ensure a professional and privacy compliant presence online while also positively representing and supporting your business brand.

social media management practice management success tip
Managing Employees When They Make Mistakes With Stacey Messner

Managing Employees When They Make Mistakes With Stacey Messner

Managing Employees When They Make Mistakes – Addressing Employee Performance and Restoring the Workplace

Have you ever had an employee who has made a mistake and now you’re scrambling about what to do next?

Your business needs a set of reasonable rules and guidelines for employees to follow. This helps to create a safe and respectful workplace and protect the privacy rights of your patients and employees.

Your healthcare practice should have a written policy and procedure to guide you in your response to a privacy and security incident.

Sometimes, our employees have been directly involved in the incident. For example:

  • Petty theft (personal gain)
  • Snooping in patient or employee records (disregarding policies)
  • Faxing a report to the wrong recipient (carelessness)
  • Using patient or employee information to cause harm (malice)

When employees and healthcare providers do not meet our expectations, sanctions or discipline may be appropriate.

In this episode #105 of the Practice Management Nuggets Podcast, guest human resources expert Stacey Messner gives practical advice to clinic managers and privacy officers to navigate difficult conversations after an employee makes a mistake.

Listen To The Podcast

Managing Employees When They Make Mistakes – Addressing Employee Performance and Restoring the Workplace | Episode #105

Expert tips with Jean L. Eaton on Practice Management Nuggets Podcast For Your Healthcare Practice.

Listen here: Practice Management Nuggets Podcast


Are you prepared to have difficult conversations with your employees?

Grab this tip sheet from Stacey Messner free when you subscribe to Stacey’s newsletter list.

Listen in a different way

Featured Guest: Stacey Messner

Stacey Messner Will Teach You How to Manage Employees When They Make Mistakes – Address Employee Performance and Restore the Workplace

Human resources expert Stacey Messner, Leader in HR gives practical advice to clinic managers and privacy officers to navigate difficult conversations after an employee makes a mistake, addressing employee performance improvement and workplace restoration practices.

Get Stacey Messner Listen Differently Tip Sheet

Managing Employees Stacey Messner

Stacey Messner, Leader in HR, has been providing human resource consultation on a contract basis to businesses in the North Peace Region of Alberta since 2016.

With over 20 years of experience working in all disciplines of HR in many industries including not for profit, Stacey prides herself in providing HR services and support to leaders in workplaces who are responsible for their HR programs.

The services Stacey offers are HR advisory, training and development, workplace assessment, conflict resolution, and special projects such as job description review, HR policy manual, performance review, recruitment, and orientation programs. Stacey was born and raised in the Saskatchewan prairies and married into a Peace Country family where she lives with her husband and kids.

She is an active member in her community, loves raising a family in a rural setting, and enjoys the activities and beauty of the region.

Do You Use Employee Privacy and Security Policy and Procedure Checklist Templates?

Do You Use Employee Privacy and Security Policy and Procedure Checklist Templates?

Why Do You Need Policy and Procedure Checklists for Onboarding and Exiting Employees?

There is much excitement when we welcome a new hire to our team and there are many administrative tasks that need to take place to get this individual up and running. An employee policy and procedure checklist will help!

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed to protect patient privacy as required by our professional colleges and privacy legislation. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

To ensure that onboarding a new employee is a smooth transition, it is imperative to follow a practical checklist procedure to make sure no important steps are missed. There are also many other managerial benefits to adopting this high-quality process:

  • Better job performance and satisfaction
  • Greater commitment to protecting privacy in the organization
  • Reduced stress and better staff retention

Employee Privacy and Security Policy and Procedure Checklist

Policies and procedures are reasonable safeguards to protect the personal and health information entrusted to us. But polices and good intentions alone are not enough; we also need to take action to ensure our policies are understood and are being followed by all our employees.

Training new and existing staff on privacy and security best practices is instrumental in making your healthcare practice a success and maintaining its fine reputation. Following a systematic approach to welcoming a new employee, transitioning an existing employee into a new position, or offboarding an employee who is exiting will guarantee that valuable privacy and security training and accesses are completed.

Read this Privacy Breach Nugget that explains what can happen if you don’t have these good practices in place. Do You Know Where Your Policies And Procedures Are? 

New Employee Orientation / Onboarding

New employees are a welcome addition to any team and there is a vast amount of training that needs to take place from general procedures on how to handle phone calls to signing confidentiality oaths to becoming familiar with all policies and procedures, in addition to learning the everyday job duties for their own position.

Since privacy is good for business, we do not want to miss any important opportunities to train our new staff on privacy and security best practices. Using the Employee Privacy and Security Checklist will help facilitate training discussions and document the authorized accesses of each employee.

Existing Employees / Annual Review

The checklist will also act as a tool for each employee at their performance review. Provide positive feedback and observations of an employee’s successes in protecting personal information. Discuss opportunities for improvement, too. This is also a good time to review an employee’s current authorized role-based accesses and determine if any changes are needed to match the employee’s current job duties.

Ensure that the employee still has ‘tokens’ that they were given at the time of their hire, like identity badge, keys to the clinic or Alberta Netcare RSA fob.

Privacy and security best practices dictate that confidentiality oaths should be signed on an annual basis and annual privacy awareness and security refresher training should also be provided to all employees. In the event of a privacy incident or breach, it is imperative that a healthcare practice can prove by their documentation that regular privacy and security training is provided to their staff.

Transferring / Exiting Employees

When an employee transitions into a new role or is terminated, review and update the privacy and security checklist to ensure that access and permissions are appropriately modified or terminated.

Custodian Responsibility

Custodians have an obligation to ensure reasonable safeguards to protect the privacy and security of health information. This includes having appropriate policies and procedures in place, as well as demonstrating and documenting that you have implemented your plans. This is a requirement of professional college standards of practice and privacy legislation like the Health Information Act (HIA).

See the article Do You Know Where Your Policies And Procedures Are? to learn what can happen to you if you don’t have your employee training process well documented

The Employee Privacy and Security Checklist will make it easy for you to ensure your new hires, existing employees, and transferring or exiting employees are privacy and security compliant.



Your practice also needs to have policies and procedures that set out how you ensure the privacy, confidentiality, and security of the health information you collect, use, and disclose. Don’t know which policies and procedures you need? Download the Privacy and Security Policies and Procedures Checklist below!


Practice Management Success

If you are a member of Practice Management Success, login and access the webinar replay, and the policy, procedure, and checklist template.

Not a member? Join today!


When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security expecially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach

The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

In order to provide services, healthcare practices must collect pertinent information from patients. This data gathering often includes many sources of information, across different types of technology, among multiple vendors. Good business practices and health records management is supported by three agreements your healthcare must have: information manager agreement (IMA), information sharing agreement (ISA), and successor custodian agreement.

For instance, when a patient attends a clinic, their details are nearly always entered into a computer software program to maintain demographic information, manage patient appointments, and to process payments. Often, health service providers (including physicians, pharmacists, chiropractors, dentists, psychiatrists and more) record their patients’ notes into an electronic medical record (EMR).

Patient information is shared between providers where required. For example, when the patient visits a diagnostic lab for testing, results are often transmitted electronically to the ordering physician’s fax machine or to the EMR.

Custodians including physicians, pharmacists, chiropractors, dentists, and psychiatrists, as defined by the Alberta’s Health Information Act (HIA), must follow HIA legislation when they collect, use, and disclose health information.

Often, custodians are also the owners of independent healthcare practices. However, an owner of a healthcare practice is not the custodian if they are not also an active member of a regulated health profession named as custodians in the HIA.  

1. Information Manager Agreement

The HIA allows custodians to contract with other health service providers and vendors for the purposes of providing information management or information technology services, so patients can receive health services, and make payments. This often requires the custodian to share patient information with a vendor (or give them access to) so the vendor can process, store, or provide information as needed.

The custodian selects one or more business to provide the services, equipment, or software to assist in the management of health information. For example: EMR provider, contracted transcriptionist, billing agent, remote backup service, etc. These businesses are known in the HIA as information managers.

Before sharing health information with someone else, the custodian must ensure that the partners and vendors have reasonable safeguards in place to protect sensitive health information. The custodians must ensure that there is a written agreement between the custodian and the information manager. These agreements are known as “Information Manager Agreements.” This requirement is stated in the HIA section 66(2).

The Information Manager Agreement (IMA) is one of three crucial agreements a healthcare practice must have in place.

If You Don’t Have an IMA

If you are a custodian who uses vendors as part of your business and you do not have an IMA with that vendor…

  • You are in breach of the HIA.
  • You may incur fines under the HIA.
  • You may face sanctions and disciplinary actions from your professional regulatory college.
  • Almost certainly, you will encounter conflicts, poor communication, between yourself and the vendor(s) and the other participating custodians in your practice.
  • You may lose control of the health information as reported in the Investigation Report H2013-IR-01from the Alberta Office of the Information and Privacy Commissioner (OIPC).

In a press release from the Alberta OIPC in 2013, Information and Privacy Commissioner Jill Clayton noted that:

“The HIA allows custodians to disclose health information to IT service providers, such as EMR vendors, under an appropriate Information Manager Agreement. When custodians do not sign these agreements, they may find themselves in the unfortunate position of losing control over the health information they need to provide health services.”

Investigation Report H2013-IR-01 (

Who Must Create the Information Manager Agreement?

The custodian is responsible to ensure that there is an appropriate IMA created and signed.

The information manager can assist the custodian by preparing templates of the IMA including specific details of the services that they will provide and the safeguards that the vendor will implement to protect personal health information.

Key Points About IMAs

A few important notes about IMAs.

  • IMA must be signed by the custodian.
  • Agreements signed by individuals who are not custodians are not valid under the HIA.
  • Custodians are required under the HIA to have an IMA with the vendor before disclosing health information. If there is no agreement in place, the custodian is in breach of the HIA.
  • Custodians are responsible for the health information that they collect, use, and disclose. Therefore, the custodian is responsible for the IMA and to ensure that the health information will be handled confidently and securely.

Key Points IMA

The custodian can select the best vendor and information manager for the job. The vendor who understands the requirements of the HIA and who can demonstrate that they have implemented the appropriate reasonable safeguards and can assist the custodian to develop an appropriate IMA is, in my opinion, demonstrating a significant competitive advantage.

All healthcare providers in a community practice should spend time when creating their business to establish good business practices, including developing written contracts and agreements to improve the efficiency of the business and to make things happen in the way that they are planned.

Here is a common example

Dr. Alice and Dr. Mark created a welcoming family medical practice in a new sub-division of their city. They each worked hard to attract new patients, hire and train staff, and develop a profitable business.

In the last few years, Alice and Mark had differences of opinion on how to grow their business. In the end, Alice decided that this type of practice wasn’t for her. She decided to leave and join a larger practice in a neighbouring subdivision. Alice wanted to take her patient’s records with her to her new practice and continue to see her patients at the new location.

Mark, who had signed the IMA with the EMR vendor, did not agree to Alice’s request to transfer her patient records to her new group practice.

Alice and Mark argued and eventually involved a professional mediator to help them resolve their business conflict. Hurt feelings between the providers and staff, costly delays in their business and expenses could have been avoided if Alice and Mark had established clear expectations in the event of the termination of their business partnership when they started their group practice. An IMA between custodians in a group practice is a recommended best practice.

When You Have Multiple Custodians in Your Healthcare Practice

When the practice has multiple providers, the owner and custodian frequently assumes responsibility for maintaining the contracts and IMAs with the vendors. Each of the participating healthcare providers may delegate the responsibility of maintaining the vendor arrangements to the custodian owner. This can be achieved with an IMA between the owner / custodian and each participating custodian.

Custodian Owner IMA

Each healthcare provider custodian is considered the custodian of the health information that they collect. The custodians can jointly agree to all use the same EMR. This provides continuity of care for the patients and economy of scale for the participants of the practice.

When the owner/custodian signs the agreement with the EMR, they become the signatory custodian. The EMR vendor takes their instructions from the signatory custodian.

The owner / custodian is now an information manager for all the participating custodians.  but does not become a custodian of the health information provided to them in their roles as an information manager.

For example,

Dr. Bill opened his medical practice, ABC Clinic. Later, additional physicians were recruited to work at ABC Clinic. The physicians are each custodians as defined by the HIA.

Dr. Bill assumes the responsibility for the operations of the clinic including the computer network and the contract with the EMR vendor. Dr. Bill is the information manager for the patient records at the clinic.

Each physician signs an IMA with Dr. Bill and agree that he will continue to manage the patient records on their behalf. Dr. Bill is operating as an information manager.

In his role of the information manager, Dr. Bill must follow the instructions from each physician, the custodian, as it relates to the management of their patients’ records.

2. Information Sharing Agreement (ISA)

When you have more than one physician in your practice, you need an agreement about how you will decide to manage the personal health information in your practice.

An Information Sharing Agreement (ISA) focuses on the internal decision making about all things related to personal health information whereas, an IMA is an agreement with a single vendor about the services that the vendor provides.


An ISA may include things related to the services that a vendor provides but is not limited to just vendor services.

It also includes decisions about the process to ensure appropriate role based access to personal health information in the EMR, computer network, and paper formats; the regular review of health information privacy and security policies and procedures, ensuring privacy and security awareness training, the regular review of administrative, technical, and physical safeguards in the practice, and so on.

In larger organizations or when several smaller organizations participate in an information sharing initiative, a Data Management Committee may provide oversight and facilitate this process.

An ISA is a requirement of the College of Physicians and Surgeons of Alberta.

Identifying a successor custodian is also a requirement of the College of Physicians and Surgeons (CPSA).

3. Successor Custodianship Agreement

As a business owner, you need to plan a successor to the business. This might be an interim or short-term decision to ensure continuity during an absence or future retirement planning or unexpected illness or death.

In healthcare, physicians and custodians have the added responsibility as the ‘gatekeeper’ for patient records. In the event of a sudden inability to meet these responsibilities, physicians need to identify a successor custodian to ensure appropriate and continued access by patients to their health information for their continuing care and treatment and to ensure that the continuing confidentiality, security, and access to patient records continue to be fulfilled.

Have you identified a successor custodian? Each of the physicians in your group practice should also identify their own successor custodian.

This is a CPSA requirement and should also be included in the Privacy Impact Assessment if you have this information available. See CPSA, Patient Record Retention, s.5:

A regulated member acting as a custodian must designate a successor custodian to ensure the retention and accessibility of patient records in the event the regulated member is unable to continue as custodian. (Reference: Health Information Act Section 35(1)(q)

If you are a chiropractor, the Alberta College and Association of Chiropractors (ACAC) further requires its members to name a chiropractor as the successor custodian to maintain the status of ‘chiropractic’ records. (See the ACAC’s Standards of Practice s5.3 Custodianship of Health Records.)

A chiropractor, as a custodian of health records, is responsible for the care and control of the health records in their practices as required by the Health Information Act of Alberta. A custodian of active chiropractic files must be under the custody or control of an active, registered member of the ACAC.

Note that under the Health Information Act, a chiropractor may disclose files to another custodian who is not a chiropractor, and only a chiropractor may have custody or control of chiropractic files. Chiropractic files disclosed to a non-chiropractor should no longer be considered chiropractic files.

A custodian must implement technical and physical safeguards to protect the confidentiality of the information and privacy of individuals as well as protections against reasonably anticipated threats to the security or integrity of the information. A custodian must also defend against unauthorized uses, disclosures or modifications of the information. Safeguards must be periodically assessed and documented in policies and procedures.

If you are working in an owner/custodian scenario discussed above, clearly identifying a successor custodian becomes imperative. An unplanned absence of the owner / custodian can seriously jeopardize the business and the continuing care and treatment of patients.

The custodian can, but is not required to, name another custodian in the same practice to be their successor. Whatever your decision, ensure that this is well documented and easily accessible to the other custodians and key decision makers in your organization in the event of an emergency.

The best time to create IMA, ISA, and Successor Custodianship Agreements is when you start your healthcare business.

The second best time in now.

What are you waiting for?

If you need assistance, contact Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor with Information Managers. I’m here to help you with your Practice Management Success.

If you are a member of Practice Management Success, login here to access the Top 3 Agreements.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach

Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments – A Complete Step-by-Step Course

Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments – A Complete Step-by-Step Course

Do you need a Privacy Impact Assessment?

Or do you need to amend an existing PIA?

Privacy Impact Assessments are just one of the requirements you need in order to fulfill your obligations in Alberta’s Health Information Act (HIA) and other legislation and are an important aspect of developing privacy best practices in your office.

And a little help along the way is always a good thing.

Practical Privacy Coach, Jean  L. Eaton of Information Managers, is constructively obsessive about privacy, confidentiality, and security when it comes to the handling of personal and health information, particularly in primary health care settings. Jean has helped hundreds of healthcare providers, vendors, and health and social service delivery organizations and associations complete their Privacy Impact Assessment which have been successfully accepted by organizations’ management and regulators. Jean has customized and delivered privacy training programs for privacy officers, records management professionals, implementation teams, and healthcare providers across Canada and the US.

Now you can have access to five modules to help you learn everything you need in order to complete your own PIA.

[s3vpp id=3a4b10b9e627f27da781cdb590b784cf]

**** New PIA Amendment Track ****

Each module includes a video training, as well as templatestoolsresources and case studies to build on in each lesson. You can use this scenario to guide you through the PIA process in healthcare. If you work in healthcare or privacy or records management and need to do a PIA, this e-course is for you.


You need a Privacy Impact Assessment (PIA) when

  • You  are opening a new clinic or establishing a new health services program.
  • You are changing administrative procedures or technology equipment, services, or vendors
  • You are changing how you collect and use personal information,
  • You are implementing or changing an Electronic Medical Records (EMR)
  • You are sharing health information with another healthcare provider, organization, Primary Care Network or other health program.
  • You want to prevent a privacy breach,
  • You have a Privacy Impact Assessment that was written more than 2 years ago (It is time to review and update this!)


If you are a healthcare provider, practice manager, and you need your first Privacy Impact Assessment, this e-course is for you

Are you in a group or solo practice with direct patient care, for example:

  • Physician
  • Pharmacist
  • Registered nurse
  • Optometrist or optician
  • Chiropractor
  • Physiotherapist
  • Midwife
  • Podiatrist
  • Dentist, dental hygienist or denturist
  • Audiologist
  • Mental health practicitioner
  • Laboratory, x-ray, and imaging technician
  • Paramedic

A PIA should be as common place to a healthcare practice as a business plan is to a business. BUT most healthcare practices don’t know this and often don’t know that a PIA is  usually part of their professional college requirements and often even a legislated requirement! Prevent malicious errors, omissions or attacks that could result in fines and even jail time for the business, healthcare provider, employee, or vendor by completing a PIA.


If your Privacy Impact Assessment was written more than 2 years ago this online on-demand course is for you!

The Clinic Manager and Physician Lead and Privacy Officer  must ensure its content is updated to reflect the current state of administrative, physical and technical controls.

BONUS! Checklist to update your PIA to meet recent changes to Alberta’s Netcare Portal. If your practice has completed a PIA and now you need to update the PIA, you receive a checklist of items that you need to consider to refresh your PIA.


If you a vendor that supports healthcare practices this e-course is for you!

BONUS! One hour tele-consult with Jean, “Create a branded Privacy Impact Assessment Readiness Package”. Jean will work individually with you to review your documentation and coach you on how to prepare the package to give to healthcare practices.

BONUS! Vendor PIA live webinar includes Vendor non-disclosure agreement, Information Manager Agreement, GAP Analysis, Computer Network Narrative templates.


Jean has helped hundreds of physicians, chiropractors, pharmacists, and other healthcare providers complete their Privacy Impact Assessment. She has visited hundreds of practices across Canada. But time and geography limit my ability to visit each healthcare practice that needs a PIA. That’s why I developed this on-line interactive course to help you learn everything you need in order to review, amend, or create your own PIA. Each module includes a video training as well as templates, tools, resources and two common case studies to build on each week. You can use these scenarios to guide you through the PIA process.

You know your practice better than anybody else. If you had the right tools, at the time most convenient for you and a mentor to help you, you can develop good office practices, meet legislated and college requirements, and successfully complete your Privacy Impact Assessment requirements.

Using a Webinar on-line interactive program, you will get great content and mentoring from Jean Eaton and once a month during the Q&A live training webinars. Learn the PIA process with these modules.

The modules include:

Module 1:

PIA to Protect Your Practice, Your Assets, and Your Patients



Module 2:

Information Flows–-the Foundation of Your PIA



Module 3:

Risk Analysis and Mitigation Strategies



Module 4:

PIA Format – Pulling it All Together



Module 5:

Complete Your PIA Submission


BONUS Module 6:

Create a Branded Privacy Impact Assessment Readiness Package


The replays, tools, and resources will be available to you right away.

If you are new to this field, I suggest that you first register for Privacy Awareness in Healthcare: Essentials to master the key definitions and concepts.



Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments –

A Complete Step-by-Step Course

5 Core Modules, Templates, Training, and Tools to Get Your PIA Done!

Monthly Live Q&A Training Webinars

$450.00 (plus GST)

Purchase e-course


You will get

  • Learning Resource Guide for EACH module – how-to explanations, templates, and resource lists
  • Checklists to help you plan your PIA
  • MindMap of the entire PIA process
  • PIA project plan timeline templates
  • Checklists of  personal and health information privacy and security policies that you need in your practice
  • Many examples of projects in medical, dental, chiropractic and more practices including new PIA project and PIA amendments.
  • Explanation and real-life examples of key terms that you need to know and include in your PIA
  • Strategies and templates of risk management assessments that you can customize
  • This E-course might qualify for CPE credits, too!


BONUS!  Monthly live Q&A webinar training with Jean to help you get un-stuck with your PIA.

BONUS! Checklist to update your PIA to meet recent changes to Alberta’s Netcare Portal.

BONUS! Private discussion group with other registered participants of this course to network and support each other on your PIA journey and continue to help you after this course closes.

BONUS! Regular updates of privacy resources and templates that you can use.


If you hired a consultant to do the work of the PIA process for you it may cost you as much as $3,000!

And then…when the consultant is done, they take their knowledge out the door with them.

Invest only $450 in this course and you’ll have what you need to do your first PIA project today…and every project in the future!

Jean Introduction Ecourse PIA (1)

I had the pleasure of working alongside Jean to develop a PIA for my Dental Office. I could not have completed this document without her. She was there to help me every step of the way. Her online course made it easy to communicate with her as well as having so many resources to use that were so helpful. Each Module had videos to watch that explained step by step what needed to be done. The PIA document is a lot of information to put together and if it’s not enough information on its own, you also need to develop a policy and procedures manual. Jean has developed an amazing resource for this manual that was very user friendly and made a 300 page manual a lot more attainable than creating it on your own. I highly recommend taking Jean’s PIA course and having her help throughout the process!”

~~Lindsey Cave, Office Manager, Orion Dental Group


What people are saying about our PIA e-courses and in-person workshops:

Q: What did you learn from this workshop?

Participant’s Responses:

  • Understanding of need / use of Information Management Agreement’s and an ‘Evaluation” agreement.
  • Lots – when / how to make amendments.
  • Compliance / requirements of PIA and their purpose.
  • PIA information; agreements, updating.


Q: What do you feel was the biggest benefit to attending this workshop?

Participant’s Responses:

  • Understanding a PIA.
  • Having a better understanding of PIA’s and everything included in requirements.
  • Gain a better overview of my PIA and what I need to add; organizational strategy.
  • Clear vision of work to be done.

“When Jean told us about the Protest Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments E-course and explained how the course will help us better understand the Health Information Act, our responsibilities as healthcare providers and our relationship with our vendors and partners, I signed up right away! Thanks again – it is no doubt that we have hitched our wagon to a shining star.”
~~Bill Stowe, Business Manager Synergy Respiratory & Cardiac Care

“This was my first ever time I had to work on a PIA and I was a little nervous about doing it efficiently – but you really made it as simple and straight forward as possible. Thank you for being available for my questions when I had them. I would easily recommend Privacy Impact Assessments to Protect Your Practice course for anyone to do their own PIA’s! Thank you so much!”
~~Karen Sarabura, Clinic Manager and Privacy Officer, CGA Medical Imaging, Alberta

“I attended the Privacy Impact Assessment Walk-through workshop (for ARMA members). Jean shared resources and on-going networking opportunities. The biggest benefit to me is to know that there is help out there in moving forward with our Privacy Impact Assessment responsibilities.”
~~Ellen Sauvé, Parkland County

Comments from other E-course participants:

“Learning about how all the information gathering systems interact was the most valuable part of this workshop”

“Excellent presenter – variety of learning opportunities.”

“Jean is an excellent speaker and I enjoyed the audio seminar you gave today and I learned a lot from your seminar.”
~~Annette T (AHIMA webinar, Three Mistakes in Managing a Privacy Breach”)

“Jean Eaton is one of those ‘critical suppliers’ you keep in your email contacts list, no matter what company you manage. She really knows her stuff and delivers prompt, accurate information on time. Her courses are interesting, informative, and I like the opportunity to meet with classmates who have similar challenges.”
~~Kevin Morris, Shape MD, Team Leader/Office Manager


Buy e-course

In-Person Workshops Are Now Available

Are you a hands-on kinda person?

Are you more likely to get things done when you schedule your time for a working meeting?

Would you like help to kick-start your PIA amendment and review with other like-minded clinic managers and privacy officers?

PIA Amendment Workshops are available. Send a request to me and let’s set up a workshop near you! You also get full access to the on-line course to support you after the workshop.




Not sure if the E-course is for you?

Jean will answer your questions in the free webinar,


Prevent Big Fines (or Worse!) for Your Healthcare Practice

How to Plan a Privacy Impact Assessment for Your Healthcare Practice

with Jean L. Eaton
Replay Recorded Live

This webinar is for Privacy Officers, Clinic Managers, Practice Managers and anyone else responsible for doing a PIA.

You will learn what is getting in your way of getting your PIA done!

In this free webinar, you will learn:

  • 5 Manageable Steps of every PIA
  • 3 Biggest Myths about PIA’s that is preventing you from completing your PIA
  • Questions Privacy Officers, Clinic Managers, Practice Managers and Healthcare providers should ask about PIA’s but don’t
  • Biggest fears about doing a PIA and how you can kick it to the curb so that you can finally get it done

Join us for the webinar so that you can plan your PIA for your healthcare practice!

Sign me up for this FREE webinar

Get Free Access Now Arrow

Please provide your email address below and you will be re-directed to the webinar replay right away.

Check your email in-box to confirm your registration!









 Along with your webinar registration, you will also benefit from the occasional Privacy Nugget tips by email of similar privacy resources and articles that you can use right away!