Have you ever said… “If only I had someone to ask!”
Each month, we discuss your questions about practice management, human resources issues, clinic management best practices, procedures, resources, practical privacy tips, and more in Practice Management Success membership.
In this Q&A, we're talking about:
How long does it take to do a PIA?
Click the >> arrow above to play the video.
I’m opening my practice next month.
I just learned that I need to complete a Privacy Impact Assessment.
What do I do now?
Unfortunately, I hear this question far too often!
Here’s What You Need to Know About the Timelines Required to Complete a Privacy Impact Assessment
In the perfect world, you will start your PIA process about 6 months before you plan to open your practice.
You will start with developing the privacy and security policies and procedures.
Next, you will discuss with the EMR vendors, computer IT support vendors, and other stakeholders about your operational needs and ensure that the vendors can meet PIA requirements.
At this point, about 4 months before Go Live, you will start writing your Privacy Impact Assessment documents.
You will review and accept the Privacy Impact Assessment internally to your organization and ensure that each of the custodians have reviewed, understood, and accepted the Privacy Impact Assessment.
Then, you will submit the Privacy Impact Assessment to the Office of the Information and Privacy Commissioner (OIPC) about 3 months before your go-live date.
Start With Privacy and Security Policies and Procedures
If you are planning to open your healthcare practice soon or planning to implement a new project in your existing clinic, your first step is to review (or create) your privacy and security policies and procedures.
Guidance for Electronic Health Record Systems
To help you with your discussion of PIA requirements with your vendors, the OIPC has produced a document, “Guidance for Electronic Health Record Systems“.
This guide was developed to assess the safeguards in electronic health record (EHR) systems. Custodians and their EHR service providers may use this document to support a Privacy Impact Assessment on an EHR system, or to examine whether changes to a system comply with Health Information Act requirements. Published in June 2016.
This is intended to assist you to have a discussion with your vendors. The guidelines are not part of the PIA submission. The Guideline will help you to ask good questions with your vendors so that you can get good answers. You will include the answers to the questions in your PIA submission.
If you are currently looking for a vendor for your EMR, practice management system, computer network system or, perhaps, your billing system, these are the questions that you need to discuss with your vendor. Their answers will help to inform you and assist you in selecting good vendors for your practice.
If You Are a Vendor That Supports Healthcare Practices
If you are a vendor that supports healthcare practices, I encourage you to download the document, Guidance for Electronic Health Record Systems, and complete it from the perspective of your product or service even if your product isn't an EHR. Then, you can share the completed document with your prospective clients and custodians as a demonstration of your privacy and security practices and support your clients with their PIA submission.
If you haven’t done your PIA yet, you definitely need to get this completed. You need to have your policies and procedures completed and your PIA submitted to the OIPC for their review and acceptance before you open your new practice.
Want more content like this?
For more information about Privacy Impact Assessments, see