What Does a Ransomware Attack Look Like to Patients?

Posted on June 14, 2021 by Meghan in Blog

What Does a Ransomware Attack Look Like To Patients?

One of my favourite podcasts is Help Me with HIPAA. This weekend I listened to Episode 304 Ransomware Creates a Social Media Privacy Violation Storm while I was spring-cleaning my yard.

Donna and David discuss in (almost) real time a ransomware attack that was currently occurring at the San Diego California’s main health systems, Scripps Health. The attack resulted in practically all of its technology being taken down. The EHR went down, patient portals were down, appointments had to be rescheduled, patients had to be diverted to other hospitals… even their website was down.

This podcast episode isn’t about the technology about ransomware. Donna and David walk you through the impact on patients – from the inconvenience and frustration to the disastrous consequences of not having health information available when it is most needed.

This gripping story reveals how communication failures, systems failures and a lack of information snowballed to negatively affect patients when they needed help the most.

My Takeaways From This Help Me With HIPAA Episode

Ransomware is nefarious and its impact is far-reaching.

Patient care is compromised – patient information is not accessible, and it is unknown what information can be retrieved and, if it is retrieved, if it is complete and accurate.
Privacy breach – obviously! The hackers have patient, employee and business information and have threatened to release it publicly.
BUT – employees are also continuously breaching privacy while they are responding to patient concerns on social media DURING the ransomware attack.
Employees cannot access their information to do their jobs – work schedules, payroll, portals to perform their jobs. So, alternate, unauthorized workflows are implemented to get the job done which subsequently results in more breaches.
While the press release from Scripps Health indicates that they have trained and prepared personnel, the communication from Scripps to patients, employees, and the public has been disorganized, conflicting, and continuously breaching privacy and confidentiality.

I urge you to listen to this episode (about 30 minutes).

Listen to the Help Me With HIPAA Podcast HERE!

[Start at 18:19 minutes]

What Would You Do?

How would you and your team respond to this type of privacy breach?

Share this episode with the members of your incident response plan. Then, use the scenario to conduct a table-top privacy breach fire drill using your privacy breach management plan.

These table-top privacy breach fire drills are a great demonstration of your commitment as an organization to ensure that you are protecting the privacy confidentiality and security of health information.

Now hop over and listen to the Help Me With HIPAA episode to better understand what a ransomware attack looks like to a patient.

https://helpmewithhipaa.com/privacy-questions-everywhere-ep-304/ [Start at 18:19 minutes]

Communication, healthcare, incident response plan, Patients, privacy, ransomware, ransomware attack

Positively Represent Your Healthcare Practice with a Dress Code Policy

Posted on May 20, 2021 by Meghan in Blog

Professional Appearance Positively Represents Your Healthcare Practice

Do you have a dress code policy in your healthcare practice? You might be in the front office or a healthcare provider. You might wear uniforms, lab coats, or business clothes. Regardless of your interaction with clients, customers, suppliers, contractors, or volunteers, the appearance of employees at your business supports your business image brand.

Patients and their families have reasonable expectations that their healthcare providers and employees at the clinic present themselves in a professional manner both in demeanor and appearance.

Why have a healthcare practice dress code policy?

Dress code policies, procedures and training will help to ensure a professional and consistent appearance of employees while also positively representing and supporting your business brand.

A policy provides guidance in making choices about clothing and appearance, for all staff.
The professional appearance of your staff supports the image and positive reputation of the clinic.
Use of uniforms and name badges creates a greater level of security and recognition for staff and patients.

What are some dress code guidelines?

General Guidelines:

If you do not have direct patient contact (i.e., billing clerk, consulting pharmacist, receptionist) wearing uniforms is optional. If you choose not to wear a uniform or lab coat, consider these guidelines when choosing clothes at the office:

Name Badges:

Help to identify you to our patients and clients.
Are provided by the clinic to each employee.
These are to be worn at all times.
If you are not wearing a name badge, you may be denied entry into restricted areas of the clinic.

Shoes:

Closed toes and closed heels or heel straps.
No high heels or built-up soles such that it could endanger yourself or patients.
Non-slip footwear.

Hair:

Clean and neatly groomed.
Long hair should be tied back during patient treatment or when operating machinery.

Clothing:

Clean, neat and in good repair and allows for full performance of all duties.
T-shirts and tank tops are not permitted. Polo shirts or styled cotton tops with pockets are acceptable. Discrete, non-inflammatory images and logos are permitted.
Sweatshirts are not suitable in direct patient care areas.
Tops need to be long enough and high enough to provide adequate coverage of abdomen, back and chest.
Fragrances should be avoided.
Jewelry, tattoos and body piercings must be discrete and provide no risk to the wearer or patient.

If you have direct patient contact (i.e., physicians, MOA, nursing, physiotherapist):

Clothing must meet infection control standards for the benefit of patients and to you and your family. The type of work that you do may require additional considerations.

No artificial nails are permitted.

In the interest of health and safety of our patients and our employees, no artificial fingernails are permitted. Artificial nails have been demonstrated to interfere with effective hand washing hygiene and has contributed to healthcare acquired infections.

When we know better, we do better

Download the Practice Management Success Tip, ‘Dress Code Policy'.

Discuss with your team the importance of professional attire and overall appearance.

The free Practice Management Success Tip, Dress Code Policy, will help you

Discuss with your team the importance of professional attire and overall appearance.
Review the professional work standards expected of each staff member, regardless of their role.
Guide discussions with your team, get their feedback and input, customize a procedure that you can use right away in your practice.

Show Me The Dress Code Policy

dress code, employee training, healthcare, medical, office dress code policy, policy template, Practice Management Success

What’s New in Cybersecurity in Healthcare

Posted on May 7, 2021 by Meghan in Blog

What's New In Cybersecurity In Healthcare

What has been happening lately in cybersecurity in healthcare?

Anne Genge, CEO of Alexio Corporation is my guest on this episode of Practice Management Nuggets For Your Healthcare Practice!

Anne and Jean discuss recent privacy breach scenarios and cybersecurity trends and steps that you can take now to prevent these events to happen to you!

Virtual care, telehealth, and working from home presents opportunities – and cybersecurity risks. Digital health and digital transformation has grown rapidly in the last year. Take time now to review your practice and defend yourself from dramatic increases in cybersecurity attacks.

Anne shares expert tips on how to prevent cybersecurity attacks in your practice.

Anne Genge's #1 Tip to Healthcare Practices

Invest in a professional cyber security risk assessment for your practice. Click to Tweet

My Favorite Takeaways From The Podcast

Anne shared Top 3 Tips For an Incident Free 2021 for healthcare providers and dentists and protect your practice and your patients including these nuggets.

Secure the network
Secure the people
Disaster recovery plan

Featured Guest: Anne Genge

Anne Genge is a pioneer in protecting health data and those who use it. She is a Certified Information Privacy Professional with a specialization in dentistry. Anne also holds certifications for HIPAA, Credit Card Security, Internet, and Network Security.

Ransomware and data theft have changed the face of dentistry in the past decade meaning dentists need a new toolkit for protecting their practices.

With over 20 years of experience, Anne knows the challenges healthcare providers face with technology. She and her team at Alexio Corporation work with dental and medical professionals to minimize data risk and maximize patient care.

As healthcare grows increasingly dependent on the digital environment, cyber-security becomes increasingly more difficult. Protection of patient data is not only law, it’s imperative for business success and reputation. Anne simplifies cyber-security for dentists and other healthcare providers and gives ‘real world’ strategies to protect patient information and the practice business.

To find more, see https://getalexio.com

Email: anne@getalexio.com

Twitter @alexiocorp	LinkedIn @alexiocorporation
Instagram @alexiocorporation	Facebook @alexiocorporation

Listen To The Podcast Here

You may also be interested in:

Table-Top Privacy Breach Fire Drill

Ransomware – 6 Mistakes Made By Dentists (And Their IT!)

#PracticeManagementNugget, Alexio, Anne Genge, cybersecurity, dental, healthcare, podcast, ransomware, security risk assessment

Why Would a Dentist Want Access to the Alberta Netcare Portal?

Posted on April 27, 2021 by Meghan in Blog

Why Would A Dentist Want Access To The Alberta Netcare Portal?

As a dentist or dental hygienist, if you have concerns about a patient’s health history, you may want to have access to the Alberta Netcare Portal to view the patient's history of health concerns and current medications.

Alberta Netcare provides personal health information that is available through a province-wide electronic record system under the authority of the Health Information Act (HIA).

Whether a dentist uses paper records, electronic dental records (EDR), or electronic medical records (EMR), using the Alberta Netcare Portal will help dentists monitor their patient’s interactions with other parts of the health care system.

What is the Alberta Netcare Portal?

Alberta Netcare Portal is the secure vehicle through which patient health information from a variety of health care providers is shared and accessed electronically, by independent and hospital-based health service providers like dentists, physicians, nurses and pharmacists. The Alberta Netcare Portal is a data collection centre for registries and systems such as laboratories, diagnostic imaging facilities, hospitals and some specialized clinics. Alberta Health and Wellness is the Netcare information manager.

Dentists and Dental Hygienists Are Custodians

Dentists were designated in 2010 as authorized custodians under the Health information Act (HIA). Dentists can now request access to Alberta Netcare by showing that they meet the Netcare requirements.

Dentists who manage patients with complex medical conditions or for the provision of treatment requiring sedation or general anaesthesia may require additional information about the patients’ health history. Dentists can use Alberta Netcare Portal to view medication profiles, laboratory data and tests results.

Ensuring reasonable safeguards to protect the privacy and security of personal health information of your patients and residents of Alberta is critical! We want everyone who has access to these health data repositories to follow the same best privacy and security practices. The HIA has regulated requirements for all custodians to follow.

Everyone needs to follow the rules to play in the sandbox!

How To Get Started

Before you are granted access to Alberta Netcare Portal, you must complete the following steps.

Step 1: Create or update your Health Information Management Privacy and Security Policies and Procedures including the rules governing the access, collection, use, of health information from Alberta Netcare.

Step 2: Complete a Privacy Impact Assessment (PIA) and submit this to the Office of the Information and Privacy Commissioner for review. For more information on how to complete a PIA, click here.

Step 3: Train your team on privacy awareness. I recommend the Privacy Awareness in Health Care Training — Dental Practices.

Step 4: Contact the eHealth Netcare Support Services Team.

Step 5: Complete a Provincial Organizational Readiness Assessment (pORA). See What is a pORA.

Step 6: Sign an Informational Manager Agreement (IMA) and Review Informational Exchange Protocol (IEP) with Alberta Netcare

For more tips on implementing reasonable privacy and security safeguards for your dental practice, see https://informationmanagers.ca/privacy-impact-assessment-pia/.

You can also watch the FAQ video on this topic by clicking the button below!

Watch the FAQ Video HERE!

You May Also Be Interested In:

What is a pORA?

New Health Information Policy and Procedure Manuals

Do You Need An Expedited Netcare Privacy Impact Assessment?

Who Is Doing the Recalls In Your Dental Practice?

Privacy Awareness in Healthcare Training: Dental Practices

Privacy Impact Assessment – Consultation Options Available!

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

Alberta Netcare, ANP, dental hygienist, dentist, healthcare, PIA, PIA Consultant, privacy, Privacy Impact Assessment

Do You Need to Build A Privacy Awareness Training Plan for Your Healthcare Practice?

Posted on April 22, 2021 by Meghan in Blog

Do You Need to Build a Privacy Awareness Training Plan in your Healthcare Practice?

A practical privacy awareness training plan will save time for clinic managers, and it will manage risks with employee compliance and buy-in.

Build a privacy awareness training plan! Privacy awareness training is more than a checklist when new employees are hired.

As an employer and health care provider, you are responsible to provide training to all your employees about privacy awareness.

Your privacy officer should have direct involvement in the planning and monitoring of the privacy awareness training. The privacy officer may also:

Facilitate training opportunities
Develop / contribute to policies and procedures
Monitor for compliance
Provide instructions
Implement specific projects

If you don’t provide the training – and if your employees don’t understand the policies – and there is a privacy breach, then the healthcare provider is more likely to be held accountable under the legislation and face penalties including fines and even prison!

Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information. Healthcare businesses who want employee and supervisor level privacy awareness training to support key policies, procedures and risk management programs need a privacy awareness training program.

Privacy Awareness Training Plan Workshop

Learn effective approaches to design and deliver an effective privacy awareness training plan for your healthcare practice.

Real-life scenarios and privacy breach offences demonstrate what can go wrong – and what you should do instead
How to manage employees who may not ‘get it'

In this 60-minute webinar, you will outline a privacy awareness plan for your practice.

Privacy Awareness Program Components
Supporting Privacy Awareness Training Policies and Procedures
Privacy Awareness Training Strategy
Privacy Awareness Training Models
How Do You Create Privacy Awareness Training Content?
Privacy Education Objectives
Audiences For Privacy Awareness Training Evaluation Methods
Monitoring / Compliance
Documentation

Join us on Thursday, May 6

12:00pm Noon Mountain

Build a Privacy Awareness Training Plan for Your Healthcare Practice

Register for Your FREE LIVE* Workshop

*Even if you can't attend live, register now to get access to the limited time replay and resources!

Yes! I want to attend the workshop

This Workshop Includes:

Live on-line training
Q&A with Jean Eaton, Your Practical Privacy Coach when you join the webinar live
Access to the replay for a limited time
Learning Resources Guide

Yes! I want to attend the workshop

Did you enjoy reading this article? You may also be interested in:

Do You Want To Be A Confident Healthcare Privacy Officer?

Keeping Privacy Active in the Minds of Clinic Staff

5 Low Cost Steps You Can Take to Prevent Employee Snooping

3 Parts to Every Privacy Awareness Training Plan

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

healthcare, privacy awareness, privacy awareness training, privacy awareness training plan, privacy officer, privacy training

Table-Top Privacy Breach Fire Drill

Posted on April 19, 2021 by Meghan in Blog

Use A Table-Top Privacy Breach Fire Drill to Protect Your Practice

A table-top privacy breach fire drill is a cost-effective way to prepare for a privacy and security incident in your healthcare organization. You should have a written privacy breach incident response plan in your healthcare practice. Have you practiced your response plan lately?

A table-top privacy breach fire drill allows your incident response team to rehearse their skills in a controlled exercise.

Do you remember your school days when every month or two you had a fire drill? The fire alarm would go off and everybody would go out the doors and very calmly go down the stairs and out the doors and into their muster point.

We take the same approach with privacy breach fire drills. Fires can happen at different times, places, and for different reasons. Whey you change the scenario, you develop alternate strategies or playbooks to best respond to the fire.

A privacy breach incident playbook contains all the actionable steps to take when a privacy beach incident occurs. Your playbook will have many ‘plays’ or actions to take when different types of privacy breach incidents occur. You could also think of it as a recipe book. You have many types of recipes to select from. Identify the ingredients that you have on hand (or the characteristics of the latest privacy incident) and select the most appropriate recipe to resolve the incident.

Healthcare providers, owners, and privacy officers hear about big privacy breaches on the news and hope it won’t happen to them. It keeps them up at night…because they know that properly preventing or managing a privacy breach is critical to the continued success of their business. Implementing a table-top privacy breach fire drill will help!

Picture this. You call a meeting of your incident response team. This may include your privacy officer, computer network support or managed services provider lead, physician, dentist, or other healthcare lead, your media spokesperson, and clinic manager. The privacy officer distributes a privacy breach incident scenario summarized on one page.

The team members read the scenario and then discuss what steps that they would take to respond to the privacy breach incident.

Using the 4 Step Response Plan as your playbook guideline, the incident response team note-keeper documents the hypothetical steps that the team takes to respond to the breach. Record the decisions, the resources, and the questions that you explore in this scenario.

When the table-top exercise is complete, you now have a detailed action steps that you can take when a similar privacy incident occurs in your healthcare practice.

How To Use The Table-Top Privacy Breach Fire Drill Technique

The goal of a privacy breach fire drill is to develop your playbook so you can spring into action when a similar privacy and security incident occurs in your healthcare practice.

First, identify a scenario that could happen in your practice. Unfortunately, it’s easy to find an example about a privacy and security breach in the news. Grab a privacy breach example and pull out the bits and pieces of the information that might apply to your organization. When you select scenarios that could happen in your organization the exercise is more meaningful for you, and you will develop tools and templates that are going to help you in the event that a very similar privacy and security incident happens in your organization.

Let’s use the recent privacy breach incident that came from the province of Saskatchewan* when a cybersecurity attack that happened in their E-Health system. This attack may have started when an employee who had authorized access to the e-health system used a personal tablet to connect with a USB to the Saskatchewan health authority’s computer. This enabled a virus from that personal tablet to infect the computer system and ultimately the e-health system, allowing millions of files to be stolen. Strip the example down to its key points. Create additional details and assumptions where needed to give the team members enough information to discuss the scenario during the fire drill exercise.

Step 1 Contain The Breach

The first step in every incident is to spot and stop the breach. Make an assumption that the employee who connected the personal device to your computer is now seeing that message on the screen that says that there's a virus in the system. One of your incident team members plays the role of the employee and completes Step 1 of the privacy breach incident response form and notifies their supervisor or the privacy officer.

Another team member assumes the role of the privacy officer and explains what their next action steps would be.

Record each action that you consider. Document each policy, resource, phone number and email address that you would use in a real event. This creates the action steps in your playbook.

Step 2 Evaluate the Risks

Discuss the risks that could affect the computer systems. What tools do you need to evaluate the harm of this incident? How might this affect patient care and the privacy of patient information?

Contact your vendors and ask them to contribute to the risk assessment in this scenario.

Who else might you want to call on for assistance to investigate this incident?

You might want to revisit the news item for additional information about the actions that were taken that you might also need to explore.

In your playbook, record good leading questions to help you to investigate the incident and evaluate the risks of harm.

Step 3 Notification

Strategize who you would notify about the incident. Prepare written notification to the custodians, patients, regulators and even media statements. These become templates in your playbook that you can quickly implement in your real event.

Role-play your media spokesperson being interviewed on the evening news. It’s much better to practice now, before you are in a crisis.

Step 2 Prevent the Breach From Happening Again

This might be the most valuable step in the privacy breach fire drill. Complete the privacy breach incident worksheet and summarize this practice scenario. Consider how likely this scenario could happen in your practice. What type of training could be done now to prevent this from happening? What tools or training do your incident response team members need today to make it easier for them to monitor and prevent this scenario from happening?

Fire-Drills Lead to a Confident Response

At the conclusion of this fire-drill, your team is ready, energized, and have the tools that they need to make sure that they can respond to that privacy and security breach as quickly as possible. This absolutely is a great investment in your time. These table-top privacy breach fire drills are a great demonstration of your commitment as an organization to ensure that you are protecting the privacy confidentiality and security of health information.

I hope that this privacy tip to help you do your tabletop privacy and security breach fire drills will be a value to your organization.

Listen to the podcast HERE!

Do you need help to create your privacy breach management plan – and a mentor to help you get it done?

Check out the 4 Step Response Plan – tips, tools, templates, and training to help you create your privacy breach management plan!

4 Step Response Plan

*Reference:

Saskatchewan IPC finds ransomware attack results in one of the largest privacy breaches in this province involving citizens’ most sensitive data. January 8, 2021 – Ron Kruzeniski, Information and Privacy Commissioner. https://oipc.sk.ca/saskatchewan-ipc-finds-ransomware-attack-results-in-one-of-the-largest-privacy-breaches-in-this-province-involving-citizens-most-sensitive-data/

fire drill, healthcare, privacy breach, privacy officer, privacy officer training, privacy training, table-top privacy breach fire drill

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

Posted on April 7, 2021 by Jean Eaton in Blog

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

You are working at the reception desk of a healthcare practice. Suddenly, there is a police officer giving you a court order! Do you know how to prepare patient records for a court order?

Don’t Panic!

In this month’s Q&A with Jean, we discussed how to prepare patient records for a court order with confidence!

Now, just a reminder, I’m not a lawyer and I don’t play one on TV. These are my recommendations based on my experiences – as a director of health records in hospitals in Canada, as a court reporter, and as a mentor to clinic managers in independent healthcare practices – and this is not legal advice.

Follow These Steps

In this article, I am not discussing a situation which relates to a life-threatening situation that requires an immediate response. I am also not discussing when the order relates to the type or quality of healthcare provided to the patient or when the actions of the healthcare provider or clinic is being challenged or reviewed. These are topics for a different article.

Your reception staff should not accept the court order but, instead, immediately ask the officer to wait for a few minutes so that they can request their supervisor or privacy officer meet with them.

When the court order is an administrative request for information, the supervisor or privacy officer will accept the court order from the officer. Before the officer leaves, make sure that you read the court order carefully and ensure:

Who is named in the court order.
- This is often the clinic manager of the clinic. Your clinic should be specifically named or, perhaps, the name of your lead physician or healthcare provider.
Record the date and time that you received the order.
Clarify when the response is required.
Name and contact information.
- This could be of the officer that delivered the court order (if possible).
- At minimum, it should include the contact information of the court, for example, the court clerk’s office or the witness co-ordinator, or the sheriff’s office.
The province or jurisdiction of the court.
In general, this should be the same province where your clinic operates. If not, contact your lawyer for advice on how to respond.

Review Your Policies and Procedures

This is not a routine request from a patient to access their health records or a request to disclose their records to a third party like a lawyer or insurance company. In those routine requests, patients are generally required to provide a written, signed consent before you can disclose their records.

When you receive a court order or subpoena to produce patient records at a court or other legal proceeding, you are not required to get a signed consent from the patient.

Each healthcare practice should have detailed policies and procedures on how to prepare patient records for a court order. Review these now.

If you don’t have up-to-date policies and procedures, see the Practice Management Success Tip, How to Prepare Patient Records for a Court Order.

Validate the Court Order

Read the court order carefully. In particular,

Phone the contact number on the court order.
Confirm the date, time, and location that you are required to appear.

Locate the Patient Record

Find the patient information maintained in an electronic database, electronic medical record (EMR) and/or paper records. Remember to look for both active and inactive patient records as needed by the court order.

Read the patient record carefully, line by line, to ensure that the record is complete. For example, make sure that all lab reports, prescriptions, consultation notes, etc. are included in the record.

Secure the record to prevent snooping or modification to the record. Also ensure that the record is available for continuing care and treatment of the patient, if needed.

In an electronic record, prepare an audit log of all the transactions on that patients’ chart.

Ensure there is no duplicate or second chart for the patient that may have been created in error. Search by alternate names, spellings, date of birth, etc.

Ensure that each custodian included in the patients’ care and your healthcare practice’s privacy officer is informed of the court order to produce the record. The custodian should be provided an opportunity to review their clinic notes. Remind the custodian that they cannot further disclose the patient's record.

Prepare the Patient Record

Review the court order and identify exactly what information is requested. It might be for specific dates or a condition or treatment.

Keep complete and detailed notes about how you prepared your response to the court order. You will bring your notes with you to court to assist you in your testimony about how your clinic creates and maintains patient records and what you did to respond to the court order. After your court appearance, you will maintain your notes as part of the business records for the clinic.

Collect the information and record each of your steps and your results, including the records that you searched for as well as those that you did not find any results for.

If you maintain your patient records in an electronic medical record (EMR) or digital practice management software, print out a hard copy of all the information that responds to the information that is requested.

Sever (also known as redact or black-line) any information that is not appropriate to include in the disclosure. Cross-reference each redacted entry to the legal authority not to include the information in the disclosure.

If you are using an EMR, organize the paper print-out in a format that makes sense. This might be in chronological date order, or by grouping like records (clinic notes, lab results, etc.) together.

Create a ‘Table of Contents’ of the information in the patient record. This will help you in your testimony to quickly find requested information, and to help the court to locate information in the records that you have prepared.

At the same time, handwrite in ink at the bottom of each page the sequential page number in the package. Update the table of contents with the page numbers.

Stamp ‘COPY’ on each page.

When the package is complete, make a photocopy (or two) of the entire package. The ‘original’ paper copy will be maintained at the clinic. Bring the original and the copy to court and ask the court to accept your copy. Return the original package to the clinic and securely maintain this as part of the business records of the clinic until the court file is complete.

When You Attend At Court

As the clinic manager, your role at the court is to tell the court how patient information is collected and maintained in your healthcare practice. Your job is not to interpret the content of the clinic notes.

A few days prior to the court date indicated on the court order, phone the clerk’s office or witness support office to confirm the date, time, and location of the proceedings and if you are still required to attend.

On the day of the proceedings, report to the clerk of the court.

Bring with you the court order, your photo ID, the patient record, and your notes. Bring a good book to read in case you have a long wait.

You will be advised (again) if you are required that day. If you are not required, the clerk will make a notation on your court order to appear that you attended and that you have been dismissed. Keep this in your business records with the patient record.

If your testimony and the patient records are required, you will be called as a witness during the court proceeding.

You will be asked to swear or affirm an oath to speak honestly during your testimony.

Typical questions that you should be prepared to answer include:

Your name.
Your role at the clinic, how long you have been in that role, your routine tasks and responsibilities at the clinic.
Describe how patient records are maintained. Be prepared to explain your EMR or computer patient management system (if you have one).
Bring your notes about the steps that took to prepare for the court order. You may ask permission of the court to refer to your notes that you created when preparing to respond to the court order during your testimony, if necessary.
Explain that the patient records are kept electronically and that you have prepared a paper print-out of those notes.
Be prepared to explain how you know that the records are complete, not missing any details, etc.
If the court asks you to enter the records into evidence, explain that you have an ‘original’ and a ‘copy’ and ask the court to accept the ‘copy’ into evidence.

When You Return to the Clinic

Complete your notes by documenting your day at the court. Write a short summary of your day including:

Did you give a copy of the patient records to the court? To whom?
Remember to add this notation to the patients’ record that you disclosed this information according to the court order.
Any follow-up required for this disclosure?
Review your procedures. Anything that you would edit or provide additional instructions that will help you to be better prepared for next time you receive a court order?
Submit a copy of your out of pocket expenses (parking receipts, meals, etc.) for re-imbursement by your employer, if applicable.

What You Should Do Now

Review your policies and procedures now to ensure that it includes how to respond to a court order.
Train your reception staff on what to do if they receive a court order.
Train your privacy officer and clinic manager on how to prepare a patient record for a court order.

Depending on where you work, you may receive a court order regularly or it might be a once-in-a-career experience. When you have policies and procedures and a little bit of training to assist you, you can respond to a court order calmly and confidently.

If you are a member of Practice Management Success, login and access the ’Procedure: Preparing Patient Records for a Court Order’ template and the replay of the tutorial video.

Download Practice Management Success Tip - Preparing Patient Records for a Court Order Now!

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

court order patient records, health care, health records, healthcare, medical, Practice Management Success, subpoena to produce patient records, template procedure

Hire a Health Information Management Summer Student In Your Healthcare Practice

Posted on March 15, 2021 by Meghan in Blog

Hire a Health Information Management Student!

Summer is often a time to ‘catch up’ on outstanding projects. It can also be a time to prepare for programs for the fall.

Summer students can help you with jobs like archiving patient records, preparing data to move to a new EMR, setting up a new on-line appointment booking program, or implementing panel management for your practice.

Health Information Management Program at the Southern Alberta Institute of Technology (SAIT)

The role of health information management goes beyond managing health records to managing the information contained in those records. Using computer skills and knowledge of healthcare fundamentals, critical medical information is translated from patient health records into data following national data standards. The health information management professional then interprets the data to provide comprehensive quality information for patient care, resource allocation, statistics, research, planning and education.

Find out more about the Health Information Management program at SAIT here: https://www.sait.ca/programs-and-courses/diplomas/health-information-management

SAIT is accepting applications now for practicum students in May and June of this year. They can help you start or update your panel management program in your healthcare practice!

This is an un-paid practical experience for students in the Health Information Management program.

Contact Lisa Proudfoot at SAIT for more information by clicking the button below.

Contact Lisa Proudfoot

Why You Should Hire a Health Information Management Summer Student

It is a cost-effective solution for short-term hiring needs; employers get quality skills at affordable prices.

It is an excellent way to evaluate potential employees.

Students bring fresh, innovative ideas to your business.

It is an investment that you make in attracting dedicated employees.

What’s In It For Me? (WIFM)

Often, we learn more about what we do when we teach someone else. When you hire a student, you mentor an enthusiastic student. You provide knowledge, experience and connections to further the career direction of a student.

You can provide a positive difference in a young person’s career by setting an example of professionalism. You encourage the student to strive for and provide a focus on future career direction and advancement.

Learn More About HIM Students and Panel Management

Listen to the podcast with Stephanie Clack, Program Specialist and an instructor in the Health Information Management program at the Southern Alberta Institute of Technology (SAIT), to learn more about panel management and how Health Information Management students can help you!

Listen to the podcast on www.PracticeManagementNuggets.live or click the button below!

Listen to the podcast here!

Health Information Management, HIM Professionals, panel management, SAIT, Southern Alberta Institute of Technology, summer student

Can We Email Patients During COVID-19?

Posted on March 11, 2021 by Meghan in Blog

Q: Can we send an email to our recent patients to inform them that we are open during the current COVID restrictions?

We know that some patients are reluctant to see their care provider in person because of the COVID-19 pandemic. They are worried that they may have to wait in a crowded waiting room, or they are concerned about the possibility of waiting outside in the cold. They may not know about new care options, such as a phone consultations or video meetings.

Can we email our patients to let them know how we are addressing their concerns?

Update – This works for letting your patients know that you are offering vaccinations, too!

A: Yes, with certain limitations

In my opinion, if you are reaching out to **recent** patients / clients to assist them with their **current** health care questions, it is OK to send an email to let them know how you can provide health services within the current pandemic restrictions.

Here are some tips to help you review or create your procedures how to use email with your patients.

Make sure you have previously collected a patient's email address and their consent (verbal is OK, written is better) to use their email address for health service related messages before emailing them.
Do not accept work email addresses for patients; it must be a personal email address for the patient.
Update the patient’s demographic information, including the email address, regularly. Make this part of your process every visit as part of your identity verification.
Update the patient's consent to use their email address every time you have an in-person or telephone conversation with the patient.
Use a script for calling patients to update information and to get consent for using their email address

Use the EMR system to send patients appointment reminders or patient education resources related to their recent visit.

If you also want to send your patients engaging articles about your healthcare providers, services that you provide, or classes or products that you sell, I suggest that you use a system different from your EMR. Use an autoresponder email system to send your patients marketing materials, engaging articles and other pieces of information on a separate marketing email platform. Remember, your patient must opt-in to consent to receive information from you using your auto-responder system.

There are many autoresponder systems to select from, including MailChimp, Active Campaign, Constant Contact and many more.

Join me on the FAQ video to find out when you can email patients during COVID. Click the button below to watch!

Watch the FAQ video HERE!

Interested in learning more about Email Marketing to your patients / clients?

Check out this blog from Top 10 Do’s and Don’ts of Email Marketing For Physical Therapists & Chiropractors by CallHero .

If you use Social Media to connect with your patients / clients, you might need the Practice Management Success Tip Social Media Management.

Get it here!

Show me Social Media Management

clinic, COVID-19, email and patients, health, healthcare, pandemic, public health restrictions, social media

Privacy Compliance and Technology in Healthcare

Posted on March 7, 2021 by Meghan in Blog

Privacy Compliance and Technology in Healthcare

Event by Rafiki Technologies with Information Managers

A Privacy Impact Assessment (PIA) is a practical business tool in your healthcare practice.

A PIA is an important tool that you can use to help you with project management.

It will help you anticipate risks to the project before it starts and avoid serious problems, wasted time and money.

The PIA process requires you to have written policies and procedures so that you can implement the project effectively and train your staff consistently.

Sometimes a PIA is a requirement of legislation. But it is always a best practice whenever you implement a project that includes personal health information.

Join Rafiki Technologies’ Naheed Shivji and Information Managers’ Jean L. Eaton for a guide to successfully keep your patients’ information safe, follow cyber security best practices, and comply with the requirements of the Health Information Act (HIA).

This on-line workshop will provide you with practical tips to plan your Privacy Impact Assessment (PIA) amendment as well as a strategic cybersecurity checklist.

Who Should Attend?

Medical, dental, chiropractic, optometric, pharmacy practices in Alberta.
Clinic manager, privacy officer or administrative lead responsible for updating your Privacy Impact Assessment.
Healthcare provider

Join Naheed Shivji and Jean L. Eaton for a guide to your PIA completion and technology requirements

Thursday, March 18th, 2021

6:00 PM – 7:00 PM MT

Free Registration

Click the button below to register for the workshop!

Register for the Complimentary Workshop HERE!

Meet Naheed Shivji, Founder & President of Rafiki Technologies Inc.

Naheed has more than 20 years of experience in IT with expertise in the dental industry. He is a passionate entrepreneur helping companies understand and embrace technology and is always searching for business best-practices while giving back to the community.

Naheed works hands-on with his clients to develop winning IT strategies and smooth implementations. He is constantly learning and adapting to industry trends to maintain Rafiki Technologies’ position as a leading managed IT services company in Canada.

Meet Jean L. Eaton, BA Admin (Healthcare), CHIM, CC

Your Practical Privacy Coach and Practice Management Mentor with Information Managers Ltd.

Jean has helped hundreds of physicians, chiropractors, pharmacists, and other healthcare providers complete their Privacy Impact Assessment. She has visited hundreds of practices across Canada.

Jean helps independent healthcare practices with practice administration, privacy awareness, privacy breach management, and legislated regulation compliance in Canada.

Jean's career started as a receptionist and transcriptionist in a busy family medical walk-in practice. She moved into health records and health information management and hospital administration in hospitals, regional health authorities, cancer agencies across Canada and Alberta Health.

Now, Jean specializes her consulting practice to independent healthcare practices who want to start, grow, or improve their practice administration so that healthcare providers can focus on providing quality healthcare services. Jean provides training to businesses including healthcare on practical privacy and security best practices and privacy breach management.

If you are starting your new practice and need your first Privacy Impact Assessment, see our available consultation options here.

You May Also Be Interested In:

“What is a Privacy Impact Assessment?”

Read the article and watch the short video now to take a look at what is a PIA, what will a PIA do for you, when you need a PIA, and what is the PIA process.

You can also listen to the Practice Management Nuggets podcast episode here.

“How Long Does it Take to do a New Privacy Impact Assessment?”

Ideally, you should start the Privacy Impact Assessment process 3- 6 months prior to your go-live date. Find out more by reading the article.

cybersecurity, dentist, healthcare, privacy, privacy compliance, privacy consultant, Privacy Impact Assessment, security, technology