Patient Access to Health Information for Tax Reporting

Posted on April 13, 2021 by Meghan in Blog No Comments

Patient Access to Health Information for Tax Reporting

Ever thought that someone might want to submit your tax returns for you?

No problem.

They will even collect your refund – their payday when they scam your personal identity.

Michael Kaiser Blog, Executive Director of Stay Safe Online, notes on his blog that tax cyber crimes are on the rise. The Tax ID thieves usually file returns early using the taxpayers' stolen personal information so that they can cash the refunds before the taxpayer can file their legitimate tax return.

Help Your Patient Access Their Information for Tax Reporting

When patients or clients ask you for their account statement information, take the time to ask them for photo ID and a proper authorization to disclose their personal information.

Help them to understand that you can release information to the patient or to another person (a spouse, for example) only with the patient's written authorization. Even ‘just' health care billing information is important.

You Care About Patient Access and Privacy for Tax Reporting

Show your patients that you care about the safety of their information by taking steps to make sure we are protecting their patient and client information.

This Practice Management Success Tip, Patient Health Information for Tax Reporting includes

Tips to help you implement this procedure
Template authorization form
Poster to quickly explain to your patients how your procedure helps to protect their privacy

Yes! I want the Poster and Procedure Template!

Practice Management Success

If you are a member of Practice Management Success, login and access the poster, procedure, and form template.

Not a member? Join today!

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies And Procedures Are?

Why Do You Need Health Information Policies and Procedures?

Healthcare Policies And Procedures: Essential in EVERY Practice

New! Health Information Policy and Procedure Manuals

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security expecially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

Posted on April 7, 2021 by Jean Eaton in Blog

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

You are working at the reception desk of a healthcare practice. Suddenly, there is a police officer giving you a court order! Do you know how to prepare patient records for a court order?

Don’t Panic!

In this month’s Q&A with Jean, we discussed how to prepare patient records for a court order with confidence!

Now, just a reminder, I’m not a lawyer and I don’t play one on TV. These are my recommendations based on my experiences – as a director of health records in hospitals in Canada, as a court reporter, and as a mentor to clinic managers in independent healthcare practices – and this is not legal advice.

Follow These Steps

In this article, I am not discussing a situation which relates to a life-threatening situation that requires an immediate response. I am also not discussing when the order relates to the type or quality of healthcare provided to the patient or when the actions of the healthcare provider or clinic is being challenged or reviewed. These are topics for a different article.

Your reception staff should not accept the court order but, instead, immediately ask the officer to wait for a few minutes so that they can request their supervisor or privacy officer meet with them.

When the court order is an administrative request for information, the supervisor or privacy officer will accept the court order from the officer. Before the officer leaves, make sure that you read the court order carefully and ensure:

Who is named in the court order.
- This is often the clinic manager of the clinic. Your clinic should be specifically named or, perhaps, the name of your lead physician or healthcare provider.
Record the date and time that you received the order.
Clarify when the response is required.
Name and contact information.
- This could be of the officer that delivered the court order (if possible).
- At minimum, it should include the contact information of the court, for example, the court clerk’s office or the witness co-ordinator, or the sheriff’s office.
The province or jurisdiction of the court.
In general, this should be the same province where your clinic operates. If not, contact your lawyer for advice on how to respond.

Review Your Policies and Procedures

This is not a routine request from a patient to access their health records or a request to disclose their records to a third party like a lawyer or insurance company. In those routine requests, patients are generally required to provide a written, signed consent before you can disclose their records.

When you receive a court order or subpoena to produce patient records at a court or other legal proceeding, you are not required to get a signed consent from the patient.

Each healthcare practice should have detailed policies and procedures on how to prepare patient records for a court order. Review these now.

If you don’t have up-to-date policies and procedures, see the Practice Management Success Tip, How to Prepare Patient Records for a Court Order.

Validate the Court Order

Read the court order carefully. In particular,

Phone the contact number on the court order.
Confirm the date, time, and location that you are required to appear.

Locate the Patient Record

Find the patient information maintained in an electronic database, electronic medical record (EMR) and/or paper records. Remember to look for both active and inactive patient records as needed by the court order.

Read the patient record carefully, line by line, to ensure that the record is complete. For example, make sure that all lab reports, prescriptions, consultation notes, etc. are included in the record.

Secure the record to prevent snooping or modification to the record. Also ensure that the record is available for continuing care and treatment of the patient, if needed.

In an electronic record, prepare an audit log of all the transactions on that patients’ chart.

Ensure there is no duplicate or second chart for the patient that may have been created in error. Search by alternate names, spellings, date of birth, etc.

Ensure that each custodian included in the patients’ care and your healthcare practice’s privacy officer is informed of the court order to produce the record. The custodian should be provided an opportunity to review their clinic notes. Remind the custodian that they cannot further disclose the patient's record.

Prepare the Patient Record

Review the court order and identify exactly what information is requested. It might be for specific dates or a condition or treatment.

Keep complete and detailed notes about how you prepared your response to the court order. You will bring your notes with you to court to assist you in your testimony about how your clinic creates and maintains patient records and what you did to respond to the court order. After your court appearance, you will maintain your notes as part of the business records for the clinic.

Collect the information and record each of your steps and your results, including the records that you searched for as well as those that you did not find any results for.

If you maintain your patient records in an electronic medical record (EMR) or digital practice management software, print out a hard copy of all the information that responds to the information that is requested.

Sever (also known as redact or black-line) any information that is not appropriate to include in the disclosure. Cross-reference each redacted entry to the legal authority not to include the information in the disclosure.

If you are using an EMR, organize the paper print-out in a format that makes sense. This might be in chronological date order, or by grouping like records (clinic notes, lab results, etc.) together.

Create a ‘Table of Contents’ of the information in the patient record. This will help you in your testimony to quickly find requested information, and to help the court to locate information in the records that you have prepared.

At the same time, handwrite in ink at the bottom of each page the sequential page number in the package. Update the table of contents with the page numbers.

Stamp ‘COPY’ on each page.

When the package is complete, make a photocopy (or two) of the entire package. The ‘original’ paper copy will be maintained at the clinic. Bring the original and the copy to court and ask the court to accept your copy. Return the original package to the clinic and securely maintain this as part of the business records of the clinic until the court file is complete.

When You Attend At Court

As the clinic manager, your role at the court is to tell the court how patient information is collected and maintained in your healthcare practice. Your job is not to interpret the content of the clinic notes.

A few days prior to the court date indicated on the court order, phone the clerk’s office or witness support office to confirm the date, time, and location of the proceedings and if you are still required to attend.

On the day of the proceedings, report to the clerk of the court.

Bring with you the court order, your photo ID, the patient record, and your notes. Bring a good book to read in case you have a long wait.

You will be advised (again) if you are required that day. If you are not required, the clerk will make a notation on your court order to appear that you attended and that you have been dismissed. Keep this in your business records with the patient record.

If your testimony and the patient records are required, you will be called as a witness during the court proceeding.

You will be asked to swear or affirm an oath to speak honestly during your testimony.

Typical questions that you should be prepared to answer include:

Your name.
Your role at the clinic, how long you have been in that role, your routine tasks and responsibilities at the clinic.
Describe how patient records are maintained. Be prepared to explain your EMR or computer patient management system (if you have one).
Bring your notes about the steps that took to prepare for the court order. You may ask permission of the court to refer to your notes that you created when preparing to respond to the court order during your testimony, if necessary.
Explain that the patient records are kept electronically and that you have prepared a paper print-out of those notes.
Be prepared to explain how you know that the records are complete, not missing any details, etc.
If the court asks you to enter the records into evidence, explain that you have an ‘original’ and a ‘copy’ and ask the court to accept the ‘copy’ into evidence.

When You Return to the Clinic

Complete your notes by documenting your day at the court. Write a short summary of your day including:

Did you give a copy of the patient records to the court? To whom?
Remember to add this notation to the patients’ record that you disclosed this information according to the court order.
Any follow-up required for this disclosure?
Review your procedures. Anything that you would edit or provide additional instructions that will help you to be better prepared for next time you receive a court order?
Submit a copy of your out of pocket expenses (parking receipts, meals, etc.) for re-imbursement by your employer, if applicable.

What You Should Do Now

Review your policies and procedures now to ensure that it includes how to respond to a court order.
Train your reception staff on what to do if they receive a court order.
Train your privacy officer and clinic manager on how to prepare a patient record for a court order.

Depending on where you work, you may receive a court order regularly or it might be a once-in-a-career experience. When you have policies and procedures and a little bit of training to assist you, you can respond to a court order calmly and confidently.

If you are a member of Practice Management Success, login and access the ’Procedure: Preparing Patient Records for a Court Order’ template and the replay of the tutorial video.

Download Practice Management Success Tip - Preparing Patient Records for a Court Order Now!

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

court order patient records, health care, health records, healthcare, medical, Practice Management Success, subpoena to produce patient records, template procedure

Hire a Health Information Management Summer Student In Your Healthcare Practice

Posted on March 15, 2021 by Meghan in Blog

Hire a Health Information Management Student!

Summer is often a time to ‘catch up’ on outstanding projects. It can also be a time to prepare for programs for the fall.

Summer students can help you with jobs like archiving patient records, preparing data to move to a new EMR, setting up a new on-line appointment booking program, or implementing panel management for your practice.

Health Information Management Program at the Southern Alberta Institute of Technology (SAIT)

The role of health information management goes beyond managing health records to managing the information contained in those records. Using computer skills and knowledge of healthcare fundamentals, critical medical information is translated from patient health records into data following national data standards. The health information management professional then interprets the data to provide comprehensive quality information for patient care, resource allocation, statistics, research, planning and education.

Find out more about the Health Information Management program at SAIT here: https://www.sait.ca/programs-and-courses/diplomas/health-information-management

SAIT is accepting applications now for practicum students in May and June of this year. They can help you start or update your panel management program in your healthcare practice!

This is an un-paid practical experience for students in the Health Information Management program.

Contact Lisa Proudfoot at SAIT for more information by clicking the button below.

Contact Lisa Proudfoot

Why You Should Hire a Health Information Management Summer Student

It is a cost-effective solution for short-term hiring needs; employers get quality skills at affordable prices.

It is an excellent way to evaluate potential employees.

Students bring fresh, innovative ideas to your business.

It is an investment that you make in attracting dedicated employees.

What’s In It For Me? (WIFM)

Often, we learn more about what we do when we teach someone else. When you hire a student, you mentor an enthusiastic student. You provide knowledge, experience and connections to further the career direction of a student.

You can provide a positive difference in a young person’s career by setting an example of professionalism. You encourage the student to strive for and provide a focus on future career direction and advancement.

Learn More About HIM Students and Panel Management

Listen to the podcast with Stephanie Clack, Program Specialist and an instructor in the Health Information Management program at the Southern Alberta Institute of Technology (SAIT), to learn more about panel management and how Health Information Management students can help you!

Listen to the podcast on www.PracticeManagementNuggets.live or click the button below!

Listen to the podcast here!

Health Information Management, HIM Professionals, panel management, SAIT, Southern Alberta Institute of Technology, summer student

Can We Email Patients During COVID-19?

Posted on March 11, 2021 by Meghan in Blog

Q: Can we send an email to our recent patients to inform them that we are open during the current COVID restrictions?

We know that some patients are reluctant to see their care provider in person because of the COVID-19 pandemic. They are worried that they may have to wait in a crowded waiting room, or they are concerned about the possibility of waiting outside in the cold. They may not know about new care options, such as a phone consultations or video meetings.

Can we email our patients to let them know how we are addressing their concerns?

Update – This works for letting your patients know that you are offering vaccinations, too!

A: Yes, with certain limitations

In my opinion, if you are reaching out to **recent** patients / clients to assist them with their **current** health care questions, it is OK to send an email to let them know how you can provide health services within the current pandemic restrictions.

Here are some tips to help you review or create your procedures how to use email with your patients.

Make sure you have previously collected a patient's email address and their consent (verbal is OK, written is better) to use their email address for health service related messages before emailing them.
Do not accept work email addresses for patients; it must be a personal email address for the patient.
Update the patient’s demographic information, including the email address, regularly. Make this part of your process every visit as part of your identity verification.
Update the patient's consent to use their email address every time you have an in-person or telephone conversation with the patient.
Use a script for calling patients to update information and to get consent for using their email address

Use the EMR system to send patients appointment reminders or patient education resources related to their recent visit.

If you also want to send your patients engaging articles about your healthcare providers, services that you provide, or classes or products that you sell, I suggest that you use a system different from your EMR. Use an autoresponder email system to send your patients marketing materials, engaging articles and other pieces of information on a separate marketing email platform. Remember, your patient must opt-in to consent to receive information from you using your auto-responder system.

There are many autoresponder systems to select from, including MailChimp, Active Campaign, Constant Contact and many more.

Join me on the FAQ video to find out when you can email patients during COVID. Click the button below to watch!

Watch the FAQ video HERE!

Interested in learning more about Email Marketing to your patients / clients?

Check out this blog from Top 10 Do’s and Don’ts of Email Marketing For Physical Therapists & Chiropractors by CallHero .

If you use Social Media to connect with your patients / clients, you might need the Practice Management Success Tip Social Media Management.

Get it here!

Show me Social Media Management

clinic, COVID-19, email and patients, health, healthcare, pandemic, public health restrictions, social media

Privacy Compliance and Technology in Healthcare

Posted on March 7, 2021 by Meghan in Blog

Privacy Compliance and Technology in Healthcare

Event by Rafiki Technologies with Information Managers

A Privacy Impact Assessment (PIA) is a practical business tool in your healthcare practice.

A PIA is an important tool that you can use to help you with project management.

It will help you anticipate risks to the project before it starts and avoid serious problems, wasted time and money.

The PIA process requires you to have written policies and procedures so that you can implement the project effectively and train your staff consistently.

Sometimes a PIA is a requirement of legislation. But it is always a best practice whenever you implement a project that includes personal health information.

Join Rafiki Technologies’ Naheed Shivji and Information Managers’ Jean L. Eaton for a guide to successfully keep your patients’ information safe, follow cyber security best practices, and comply with the requirements of the Health Information Act (HIA).

This on-line workshop will provide you with practical tips to plan your Privacy Impact Assessment (PIA) amendment as well as a strategic cybersecurity checklist.

Who Should Attend?

Medical, dental, chiropractic, optometric, pharmacy practices in Alberta.
Clinic manager, privacy officer or administrative lead responsible for updating your Privacy Impact Assessment.
Healthcare provider

Join Naheed Shivji and Jean L. Eaton for a guide to your PIA completion and technology requirements

Thursday, March 18th, 2021

6:00 PM – 7:00 PM MT

Free Registration

Click the button below to register for the workshop!

Meet Naheed Shivji, Founder & President of Rafiki Technologies Inc.

Naheed has more than 20 years of experience in IT with expertise in the dental industry. He is a passionate entrepreneur helping companies understand and embrace technology and is always searching for business best-practices while giving back to the community.

Naheed works hands-on with his clients to develop winning IT strategies and smooth implementations. He is constantly learning and adapting to industry trends to maintain Rafiki Technologies’ position as a leading managed IT services company in Canada.

Meet Jean L. Eaton, BA Admin (Healthcare), CHIM, CC

Your Practical Privacy Coach and Practice Management Mentor with Information Managers Ltd.

Jean has helped hundreds of physicians, chiropractors, pharmacists, and other healthcare providers complete their Privacy Impact Assessment. She has visited hundreds of practices across Canada.

Jean helps independent healthcare practices with practice administration, privacy awareness, privacy breach management, and legislated regulation compliance in Canada.

Jean's career started as a receptionist and transcriptionist in a busy family medical walk-in practice. She moved into health records and health information management and hospital administration in hospitals, regional health authorities, cancer agencies across Canada and Alberta Health.

Now, Jean specializes her consulting practice to independent healthcare practices who want to start, grow, or improve their practice administration so that healthcare providers can focus on providing quality healthcare services. Jean provides training to businesses including healthcare on practical privacy and security best practices and privacy breach management.

If you are starting your new practice and need your first Privacy Impact Assessment, see our available consultation options here.

You May Also Be Interested In:

“What is a Privacy Impact Assessment?”

Read the article and watch the short video now to take a look at what is a PIA, what will a PIA do for you, when you need a PIA, and what is the PIA process.

You can also listen to the Practice Management Nuggets podcast episode here.

“How Long Does it Take to do a New Privacy Impact Assessment?”

Ideally, you should start the Privacy Impact Assessment process 3- 6 months prior to your go-live date. Find out more by reading the article.

cybersecurity, dentist, healthcare, privacy, privacy compliance, privacy consultant, Privacy Impact Assessment, security, technology

Do You Want To Be A Confident Healthcare Privacy Officer?

Posted on February 9, 2021 by Meghan in Blog

What Is a Privacy Officer?

A privacy officer is a key employee in a healthcare organization who is named by the healthcare provider (custodian) and assigned the responsibility to oversee all activities related to the implementation of, and adherence to, the organization’s privacy practices, and to ensure operational procedures are in compliance with relevant privacy laws. The Privacy Officer monitors employees and systems about how information is collected, used, and disclosed and access to identifying information.

A privacy officer may be known by other titles like privacy compliance officer or a security officer.

If your healthcare business involves the collection, use, and disclosure of your clients' and patients’ personal health information, a privacy officer is necessary in order to meet legislated requirements.

If You Don't Have a Privacy Officer

Healthcare practices without a privacy officer often experience confusion about how patients’ personal health information should be collected, used, and disclosed. Patients may complain about lack of access to their personal health information. Without a named privacy officer to assume the responsibility to implement and monitor reasonable administrative, technical, and physical safeguards you are more likely to experience privacy and security incidents, privacy breaches, investigations, fines, and charges under the privacy legislation!

Here are some examples of what can happen if you don’t have a privacy officer:

In 2019, the British Columbia Office of the Information and Privacy Commissioner (OIPC) conducted a privacy audit of 22 medical clinics. OIPC auditors examined 22 clinics and found gaps in privacy management programs at several clinics, including the absence of a designated privacy officer, a lack of funding and resources for privacy and a failure to ensure that privacy practices keep up with technological advances.
A complaint was made against a medical clinic with an employee suspected of accessing health information for an unauthorized purpose. The Alberta OIPC investigated and revealed confusion around the roles and responsibilities of privacy compliance among the custodians and the privacy officer. The OIPC determined that the custodian was in contravention of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to the all of the custodian’s administrative, technical, and physical safeguards with respect to health information. (See Do You Know Where Your Policies and Procedures Are?)
Employees are not aware of privacy requirements and engage in snooping into personal health information. Consequences of employee snooping include firing, charges under the Health Information Act and court ordered fines, jail time, probation, community service and more. (See Snooping Conviction Earns 3 Years Probation )

Roles and Responsibilities

So, what does a privacy officer do? The roles and responsibilities of a privacy officer in a typical healthcare practices include the following:

Identify privacy compliance issues for the business.
Ensure privacy and security policies and procedures are developed and keep them up to date.
Ensure that everyone working at your clinic and your vendors are aware of their privacy obligations.
Monitor your clinic's ongoing compliance with privacy legislation like the Health Information Act (HIA) in Alberta.
Provide advice and interpretation of related legislation for the business.
Respond to requests for access and corrections to personal information.
Ensure the security and protection of personal information in the custody or control of the business.
Act as the primary point of privacy and access contact for staff, patients, vendors, regulators and other stakeholders.

#Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed.Click to Tweet

Get the Practice Management Success Tip, Privacy Officer Job Description Template.

Who Should Be The Privacy Officer?

The custodian or the healthcare provider is, by default, the privacy officer. Alternatively, the custodian may designate a responsible affiliate for the purposes of the privacy legislation and given the title of Privacy Officer. In some practices, you may have co-privacy officers or, in practices with multiple locations, a privacy officer at each location.

In small practices, the clinic manager or practice manager is often named the privacy officer. In larger practices, an individual may be given the role and responsibilities of a privacy officer on a full-time basis.

The privacy officer should be in communication with both management and planning decision makers and the front-line staff who collect, use, disclose and provide access to personal health information (PHI).

Who Should A Privacy Officer Report To?

The privacy officer must report to the healthcare provider and custodians in the practice. They may also report to the clinic manager, business manager, or other senior management position.

In practices that are heavily dependent on computer network and medical devices technology, there may be both a privacy officer and a security officer. The security officer typically is focused on intrusion protection and detection and related technology safeguards. The privacy officer is more focused n the collection and use of disclosure of PHI.

What Should Privacy Officer Training Include?

The privacy officer role is challenging yet rewarding. Training should include privacy legislation awareness, privacy awareness, privacy management best practices, privacy breach management, risk assessment and mitigation, reasonable safeguards assessment and implementation. In addition, privacy officers may also learn how to complete a privacy impact assessment.

Training for privacy officers can include formal academic programs (U of A), sessional (CHIMA, Practical Privacy Officer Strategies), supported by professional associations (PACC), and/or self-directed learning including review of resources provided by regulators (like the OIPC) and ministry of health.

Many privacy officers in small healthcare practices have other roles – as a clinic manager, healthcare provider, computer network technician, or business owner. It is little wonder that new privacy officers can feel overwhelmed when trying to balance these responsibilities each and every day.

You may be missing the systems to monitor routine tasks that will protect privacy and alert you to potential problems before they become privacy and security incidents.

Bottom Line: If you are spinning your wheels trying to figure out how to get started, it will cost you time, money, and frustration!

Which means you never get around to implementing a robust privacy management program.

If you are a privacy officer in a healthcare practice who needs practical privacy management strategies to protect your patients and your healthcare business but can't figure out how to get started, here's the solution you've been looking for.

Introducing Practical Privacy Officer Strategies!

In this Practical Privacy Officer Strategies course, you will discover the three steps that you can do now to become a confident privacy officer, protect your patients, and your healthcare business.

Register now – and start your journey to become a confident privacy officer!

Online Course with 5 Live Training Sessions

March 9

March 15

March 18

March 22

March 24

Registration Now Open!

Learn more about the course and register HERE!

The online Privacy Officer course includes:

5 Modules each with live 1 hour on-line training with Jean (and the replays, too!)
Health information privacy principles and legislation
Introduction to the purpose of a privacy management program
Introduction to the purpose of a privacy awareness training program
Introduction to the purpose of a privacy breach management program
Roles and Responsibilities of a Privacy Officer
Healthcare privacy officer job description template

healthcare, healthcare privacy officer, HIA, privacy officer, privacy officer training, webinar

Pharmacist Convicted and Fined Under the HIA

Posted on February 1, 2021 by Meghan in Blog

Pharmacist Convicted and Fined Under the HIA

What Happened

An Edmonton pharmacist was in a vehicle accident. The pharmacist subsequently accessed and used the health information of the individual involved in the accident in an attempt to persuade the individual from submitting an insurance claim for the vehicle accident.

The individual submitted a complaint to OIPC in April 2018 and an investigation was launched.

Penalties

The pharmacist appeared in court on Friday January 15, 2021. He was convicted of an offence under the Health Information Act (HIA). He was ordered to pay a $5,000 fine, plus a $1,000 victim fine surcharge for using health information in contravention of the HIA.

This Could Happen To You

Are you prepared? If you have a privacy breach like this in your practice, be prepared to implement the 4 Step Response Plan.

Understanding the Health Information Act

It is an offence under HIA to knowingly use health information in contravention of the act (section 107(2)(a)).

What Happens When A Privacy Breach Is Reported To The OIPC

When a privacy breach is reported to the OIPC, the OIPC will review the report and consider the custodian’s determination if a reasonable risk to the patient(s) was present. The OIPC will review the report and consider:

agree (or not) with the determination of risk of harm
was the patient notified appropriately
is there an offence under the HIA
is an investigation warranted?

If an investigation is indicated, the OIPC will conduct the investigation and report their findings to the Crown prosecutors at Alberta Justice. The Crown will determine if it continues to press charges under the HIA.

Privacy Breaches – What You Need to Know

1. Provide privacy awareness training for each employee and healthcare provider at orientation and regularly throughout the employment.

2. Collect the employee’s oath of confidentiality, including an acknowledgement that the employee understands the principles of only accessing and using the health information necessary to perform their job.

3. Monitor your users’ access to health information to quickly identify when a suspicious privacy incident occurs. The sooner you identify a privacy breach, the sooner you can limit the risk.

4. Implement your sanction policy when needed. Your sanctions policy clearly identifies the sanctions when an employee or healthcare provider is liable of an offence under the HIA.

5. Report a privacy breach to your custodians and healthcare providers, the Office of the Information and Privacy Commissioner, and the Minister of Alberta Health and the individuals affected by the breach.

4 Step Response Plan

The more you know about how breaches can affect you allows you to be more proactive to prevent privacy breach pain and protect the privacy, confidentiality, and security of your patients’ information.

This is one of the many training sessions available in the e-course 4 Step Response Plan – Prevent Privacy Breach Pain

In the e-course, I mentor you and provide you with tips, tools, templates and training to help you complete your Privacy Breach Management Plan and respond to a privacy breach with confidence.

Find out more and register for the course using the button below!

Click Here To Register for the 4 Step Response Plan online course

References

AB OIPC, (https://www.oipc.ab.ca/news-and-events/news-releases/2021/pharmacist-fined-for-breaching-health-information.aspx), January 2021.

Edmonton Journal https://edmontonjournal.com/news/local-news/edmonton-pharmacist-fined-after-post-collision-snooping-of-health-info-threatening-other-driver-privacy-commissioner) January 2021

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Not sure what is considered a privacy breach? See When is a Privacy Breach a Privacy Breach?

Do you have a privacy breach awareness program in place in your healthcare practice?

Spotting a privacy breach is the first step to stopping a privacy breach.

You Can Use This Privacy Breach Example to Review and Improve Your Practice.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

4 Step Response Plan, Alberta, clinic, conviction, health, Health Information Act, healthcare, HIA, incident response, pharmacist, privacy breach

How to Manage a Privacy Breach with Confidence

Posted on January 12, 2021 by Jean Eaton in Blog, Services, Training, Upcoming events/workshops

How to Manage a Privacy Breach with Confidence

The new mandatory privacy breach notification provisions to the Health Information Act (HIA) takes effect on August 31, 2018.

Custodians will be required to notify the Office of the Information and Privacy Commissioner (OIPC) and the Minister of Health, privacy breaches with risk of harm.

If you haven’t updated your privacy breach management policy, trained your staff, and prepared your reporting procedures yet, let me help you with done-for you templates and training!

If you're a healthcare practice manager, owner or privacy officer who really needs to know how to respond to a privacy breach but doesn't have a step-by-step plan ready to implement, then here's the answer you've been looking for…

Introducing the “4 Step Response Plan” on-line education with quick and helpful content so that you will properly manage a privacy breach. This is critical to the continued success of your business.

Privacy Incidents Happen!

60% of small and medium business owners go out of business within 6 months after a privacy and security breach. Patients, clients, employees and business partners trust you to keep their private and sensitive information confidential and secure.

Mandatory privacy breach reporting is quickly becoming a legislated requirement – and many businesses are not prepared!

Not recognizing and not notifying a privacy breach quickly and properly could result in fines and even jail time for the business, healthcare provider, employee, or vendor!

Learn NOW how to respond a privacy breach – Don’t get caught scrambling when a privacy breach happens.

The biggest mistake in managing a privacy breach is not recognizing the privacy breach.

The second biggest mistake is not knowing what to do about it.

Many healthcare practice managers, owners and privacy officers can’t get past the idea that simply hoping that you won’t have a privacy breach is not a good business strategy!

But nothing could be further from the truth!

What people are saying about the ‘4 Step Response Plan’

Well it happened! We recently had a privacy breach. It was an ‘oops’ but never the less a privacy breach. I had started the 4 Step Response Plan – Prevent Privacy Breach Pain but thought I had time to go through it. Unfortunately not. Your course has been a godsend with all the information and forms that I need to work through this privacy breach and notifying process. Nancy D

Results Oriented Learning

The 4 Step Response Plan will help you with prevent privacy breach pain and give you the tips, templates, training, and tools that you can use right away to prepare your privacy breach response plan:

Learn to

Recognize a privacy breach.
Understand why a privacy breach is a significant problem.
Understand the cost of a privacy breach and why you need to be prepared now.
Use the 4 Step Response Plan to develop a privacy breach management plan.
Prevent a privacy breach from happening again.

… and much, MUCH more!

When you have a privacy breach you must recognize the breach, contain it, notify the affected individuals, and prevent it from happening again. When you have this plan you will have confidence that you have identified and managed your areas of risk and dramatically reduce the risk of a privacy breach. Your staff will recognize a privacy breach early and respond quickly. You will manage the breach with minimum of risk to your patients, clients, and your practice.

In the world of privacy breaches ‘If’ has become ‘When’. Will you be ready?

The 4 Step Response Plan includes

6 interactive lessons
60 minute training webinar
Video introduction to each lesson
Template policies and procedure NEW! Updated Privacy Breach Management Policy
Scenarios and examples
Downloadable resources, checklists and templates New! Privacy Breach Reporting Form to make it easy for you to meet your notification requirements.

BONUS – Discussion Group (not Facebook!)

Exclusive to registered participants – collaboration with others to help you solve problems and Jean will be there to answer your questions and encourage your progress.

BONUS – Q&A With Jean

Monthly incident response training using recent real-world reported privacy breaches and mentoring with live Q&A with Jean to help you overcome obstacles so that you can get your privacy breach management plan finished!

BONUS – Privacy Breach Awareness Training for YOUR Employee’s Orientation

Video (8 min) – “Can You Spot the Privacy Breach?”
Learning Resources Guide to download
Post Test
Certificates of Completion

This on-line education program may be eligible for Continuing Professional Development credits with your professional association.

Self-paced And Self-learning – All Lessons Are Available Right Away – No Waiting To Get The Content That You Need Most!

Get Started Right Now!

Not having your privacy breach management policies and procedures in place will

make it harder to respond to a privacy breach
mis steps – opens you up to fines, sanctions, and re-work that will cost you time and money
blind-sided by mandatory privacy breach reporting requirements

So if you’re a privacy officer, practice managers, healthcare providers, or a clinic manager who needs to know how to respond to a privacy breach but doesn't have a step-by-step plan ready to implement you need to act on this right now.

When you have your privacy breach response plan in place you will have confidence that you are prepared to respond to the breach with confidence.

Get the step-by-step help to customize your policies and training and

You will save time and save money.
Your staff will recognize a privacy breach early and respond quickly.
You will respond to the breach with a minimum of risk to your patients, clients, and your practice.

Click the Button Below to Get Started Right Away!

You will be re-directed to Stripe to make your purchase by credit card or debit.
Your receipt will indicate payment has been made to Information Managers Ltd.
Your confirmation and receipt will be provided to the email address that you complete your registration.
Use your best email address – you don't want to miss access to all the resources!

What people are saying about the ‘4 Step Response Plan’

Jean L. Eaton Your Practical Privacy Coach

Jean L. Eaton, BA. Admin (Healthcare) CHIM, CC is constructively obsessive about privacy, confidentiality, and security when it comes to the handling of personal information, particularly in primary health care settings.

Jean provides solutions that are practical and effective for today’s healthcare providers so they can implement privacy by design and best practices to protect privacy, confidentiality, security of personal information.

Jean specializes in making practical recommendations for 1000’s of independent health care providers and comply with privacy legislation while improving efficiency in their practice management. Jean is a consultant and speaker on the topic of privacy breach management, including ‘virtual privacy officer’ on demand.

She is the privacy awareness training facilitator to hundreds of medical clinics and healthcare practices and organizations that support independent healthcare businesses and privacy officers across Canada and the US. With over twenty years of experience, I have the knowledge and tools to help your business improve your information privacy practices.

I’m delighted to share this with you now in this course.

So go ahead, click the order button right now and you're well on your way to privacy breach management plan success!

Here Is My Personal Guarantee

Email Jean with your questions.

4 Step Response Plan, incident response, online education, prevent privacy breach pain, privacy breach, privacy officer training, training

Data Privacy Day 2021 Events and Resources For You!

Posted on January 7, 2021 by Meghan in Blog

Data Privacy Day 2021 Events and Resources for You!

Data Privacy Day is an internationally recognized day dedicated to creating awareness about the importance of privacy and protecting personal information.

That means a lot to me and I think it means a lot to you, too. I think it is important that we give our patients and clients the gift of privacy. And that we have the right tools and resources for our employees to make good privacy and security decisions in our businesses.

Information Managers Ltd. is a Data Privacy Champion!

As a DPD Champion, Information Managers recognizes and supports the principle that organizations, businesses, and government all share the responsibility to be conscientious stewards of data by respecting privacy, safeguarding data, and enabling trust.

Each of us is responsible to manage our name and our identity. When you share your personal information, you have the right and responsibility to ask the person or business why they need the information and how they will protect your personal information.

Jean L. Eaton

Your Practical Privacy Coach, Information Managers Ltd.

You can be a Data Privacy Day Champion, too! Follow this link and complete the Organization Champion Form with the National Cyber Security Alliance.

Data Privacy Day Activities

5 Steps To Prevent Employee Snooping

SAY NO TO SNOOPING!

If an individual affiliate knowingly breaches the privacy and security of health information, and the custodian can demonstrate that reasonable safeguards (including privacy awareness training) were in place, the individual affiliate can be charged under the Health Information Act. Fines of up to $50,000 may be applied to the individual, in addition to other sanctions from their employers and/or their professional regulatory colleges where applicable (HIA s.107).

What Is Snooping?

Looking at someone’s personal information without having an authorized purpose to access that information to do your job is known as ‘snooping’.

Even when you are “just looking” at personal information but don’t share that information with anyone else, this is still a privacy breach.

It is illegal.

Snooping incidents are on the rise and can cost you time, money, heartache, and headache in your practice.

When there is an offence under the privacy legislation like the Health Information Act, there may be an investigation, charges and court appearances, fines, penalties, and loss of employment.

Snooping is entirely preventable.

How Can You Prevent Employee Snooping?

Let’s take a look at the pro-active steps that you can take today to prevent employee snooping.

Download the Practice Management Success Tip 5 Steps to Prevent Employee Snooping

The Practice Management Success Tip, 5 Steps to Prevent Employee Snooping, will help you

Take 5 practical steps to prevent employee snooping.
Provide clarity about what is considered a privacy breach.
Contribute to the health information privacy compliance in your healthcare practice.

Download 5 Steps to Prevent Employee Snooping HERE!

Understanding Mandatory Privacy Breach Notification

To celebrate Data Privacy Day, Information Managers is hosting a free, 30-minute webinar on Thursday, January 28, 2021 at 12:00pm Noon MT.

Mandatory Privacy Breach Reporting is here!

Do you know how this will affect your healthcare practice?

If you are a custodian – including physicians, pharmacists, optometrists, opticians, dentists, dental hygienists, chiropractors, nurse practitioners, podiatrists, midwives, and more! – as defined by Alberta's Health Information Act, then…this free webinar is for you!

Avoid Fines

On August 31, 2018, amendments to the Health Information Act (HIA), came into force that introduce a fine of not less that $200,000 for a person who fails to take reasonable steps in accordance with HIA regulations to maintain safeguards to protect against reasonably anticipated threats to the security of health information (sections 107(1.1)(a) and 107(7)).

What you need to know about mandatory privacy breach notification!

In this free webinar, Jean L. Eaton, Your Practical Privacy Coach will explain:

what is a privacy breach
why a privacy breach is a significant problem
why have mandatory privacy breach notification
lessons learned in the first year of mandatory notification
offence and penalty provisions of the HIA
privacy breach notification requirements
what you need to do now

Click Here to Register for the Free Webinar!

I Heart Privacy!

Just in time for Data Privacy Day! Print badges for your team.

Right-click the image and select ‘Save As' to download and insert the image into your favourite templates to make badges or stickers or labels.

Or, use the done-for-you sheet of labels that you can print right away and slip into badge holders or print to stickers or labels.

You can even customize the labels and add your business name!

Get the label sheets using the buttons below.

I Heart Privacy Badges with Data Privacy Day logo

I Heart Privacy Badges

Protect Your Organization and Your Patients With a Privacy Awareness Quiz

Equip your staff with the information they need to confidently and correctly handle personal health information.

Healthcare businesses need privacy awareness training to support key policies and procedures, and risk management programs need a privacy awareness training program.

Reasonable Safeguards

As an employer and healthcare provider, you are responsible to provide training to all of your employees about privacy awareness.

If you don't provide the training, or if the employees don't understand the policies and there is a privacy breach, then the healthcare provider is more likely to be held accountable under the legislation and face penalties, including fines and even prison!

Patients value the privacy and security of their information.

Healthcare providers and clinic managers value privacy and security, and they value not having adverse results as a lack of compliance or patient safety issues.

Patients trust their healthcare providers with their sensitive, personal, and financial information.

If patients don't feel that the healthcare provider will keep their information confidential and secure, patients may choose not to share their information, which may impact their healthcare and treatment.

When we are privacy aware, we can better respond to patients' questions and build their trust in the quality of services that we provide.

Download the Privacy Awareness Quiz to use today to train your employees and protect your patients' health information.

Download the Privacy Awareness Quiz!

Privacy Protection In The Pink Seat with Dr. Angela Mulrooney & Jean Eaton

While privacy is not technology driven, the lack of privacy, perhaps, is impacted by technology.

Many dental practices are overwhelmed with creating and implementing privacy and security policies and procedures and how to prepare a privacy impact assessment.

Angela and I discussed practical privacy tips for your dental practice to help reduce the overwhelm.

These tips apply to all types of healthcare practices.

“Talk Shop – Protect Your Business from Information Breaches”

Jean Eaton is a guest on Lauren Sergy's “Talk Shop” YouTube channel.

Talk Shop: learn from industry experts to be a better communicator in work and in life, hosted by @lsergy. Privacy tips for business owners, just in time for Data Privacy Day!

For more Data Privacy Day resources and events from the National Cyber Security Alliance, click the button below!

Visit the National Cyber Security Alliance - Data Privacy Day website

Stay Safe Online

For more information about how to get involved in Data Privacy Day and the Champions program, visit https://staysafeonline.org/data-privacy-day.

You can also follow the campaign on Twitter at @StaySafeOnline or Facebook at https://www.facebook.com/DataPrivacyNCSA and use the official hashtags #PrivacyAware and #DataPrivacyDay to join the conversation.

Please use the social share buttons to share these Data Privacy Day activities with your friends and colleagues.

Follow Us On Social Media!

Each day, from January 22 – 28, we will have daily privacy tips and free links to additional resources on social media accounts that you can download and use right away!

#DataPrivacyDay, #PrivacyAware, Data Privacy Day, Data Privacy Day Champion, Data Privacy Day Edmonton, healthcare

What Is a pORA?

Posted on January 6, 2021 by Meghan in Blog

What Is A pORA?

The Provincial Organizational Readiness Assessment (pORA) document is a risk assessment tool that describes the technical, administrative, and physical security controls necessary to meet the minimum-security standards required by legislation and by Alberta Health.

When we provide our personal and sensitive information to a healthcare provider, we want assurances that the confidential information will be respected. We expect that our information will only be shared with people who need to know the information to provide health services to us. Alberta's Health Information Act (HIA) requires healthcare providers (custodians) to put appropriate safeguards in place to protect the privacy, confidentiality, and security of health information.

A completed pORA is one of the pre-requisites for community sites to access the Alberta Netcare Portal.

Alberta Netcare, known as the provincial Electronic Health Record (EHR), is a secure and confidential electronic system. It is accessible to health professionals and contains Albertans’ personal health information. This is also known as the Alberta Netcare Portal or ANP.

A pORA asks questions similar to the questions in a privacy impact assessment and is frequently completed at the same time as a Privacy Impact Assessment (PIA) when a new clinic is preparing to open. It's easy to get them confused, but they are separate documents and have separate purposes.

PIA

A Privacy Impact Assessment is a process that assists healthcare providers (custodians) to review the impact that an implementation of a new administrative practice, information system, or change to existing practices or systems relating to the collection, use and disclosure of individually identifying health information, may have on individual privacy. This includes how the clinic will ensure appropriate safeguards to ALL information sharing practices, including the use of Alberta Netcare.

In Alberta, a PIA must be submitted by the custodian to the Office of the Information and Privacy Commissioner (OIPC) for review and acceptance.

pORA

This comprehensive risk assessment is required by Alberta Health to verify that a community healthcare provider custodian meets minimum security standards, before accessing provincial health information. It is one of the core requirements for access to the ANP and assists the custodian in meeting their legislative requirements and protect the privacy, confidentiality, and security of health information.

The pORA is submitted by the custodian to Alberta Netcare prior to access to Alberta Netcare Portal.
Prior to being granted access to Alberta Netcare Portal, the custodian must also have a PIA accepted by the OIPC.

We know that technology and office practices change over time. It is an expectation that the healthcare provider custodian will review their PIA, pORA, and supporting policies and procedures regularly, at least annually. Alberta Netcare requires that within two years from the date of approval of the pORA that its contents be thoroughly reviewed to ensure the information is correct and up-to-date.

For more information about pORA, see Alberta Netcare. Frequently Asked Questions. Provincial Organization Readiness Assessment. February 2020.

Watch the FAQ video here!

Did you enjoy this article? If you'd like to look at similar posts, visits these links:

Do You Need An Expedited Netcare Privacy Impact Assessment?

Alberta, Alberta Netcare, Alberta Netcare Portal, ANP, Health Information Act, HIA, Netcare, p-ORA, pORA, Privacy Impact Assessment, Provincial Organizational Readiness Assessment

1 2 3 ›»

"I had the pleasure of working alongside Jean to develop a PIA for my Dental Office. I could not have completed this document without her. She was there to help me every step of the way. Her online course made it easy to communicate with her as well as having so many resources to use that were so helpful. Each Module had videos to watch that explained step by step what needed to be done. The PIA document is a lot of information to put together and if it's not enough information on its own, you also need to develop a policy and procedures manual. Jean has developed an amazing resource for this manual that was very user friendly and made a 300 page manual a lot more attainable than creating it on your own. I highly recommend taking Jean's PIA course and having her help throughout the process!"

- Lindsey Cave, Office Manager, Orion Dental Group