Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

What is a PIA?

Sharing is caring!

0 shares
  • Share
  • Tweet
  • LinkedIn
  • Email

Do you collect personal, financial, or health information about your clients, customers, or patients?

Do you have employees?

Does your business have a newsletter mailing list?

Do you have security cameras in your business?

Then you probably need a Privacy Impact Assessment.

 What is the purpose of a Privacy Impact Assessment?

A Privacy Impact Assessment (PIA) is the administrative practice of documenting your already-in-use office practices, and using them to assess your work from a privacy perspective. For example, is your receptionist's computer positioned in such a way that a client or patient might be able to read the screen? How could you prevent the unauthorized view? Do you know an employee who forgets to log out of his computer when he takes breaks? Do you have an automated time-out setting that logs him out of the computer?

A Privacy Impact Assessment process helps you to identify administrative, physical, and technical safeguards that you can use to mitigate the risks of unintentional and unauthorized collection, use, and disclosure of personally identifying and sensitive information.

Privacy is good for business.

Good business practices that protects the confidentiality and security of personal information contribute to efficient work flow practices.  It is easier to attract and retain employees if you demonstrate care and responsibility for the personal information of your clients, employees, and business partners.  Good privacy practices avoid the likelihood of costly privacy breaches and fines.

What_Is_A_PIA_image_Information_Managers

What is a Privacy Impact Assessment?

Privacy Impact Assessment (PIA) is a process that assists business owners and custodians to review the impact of a new (or change) flow of information, administrative practice, or information system affects the collection, use and disclosure of individually identifying personal and health information.  A PIA describes the information flows in the project, identifies the legal authorities that allow for the flow of information, assesses potential impacts on and risks to privacy and identifies mitigation strategies to minimize the risks.

When to do a Privacy Impact Assessment?

A PIA is required before a business or healthcare provider implements a new practice or system, or changes to existing practices or systems. For example, if you are opening a new practice you need policies and procedures related to privacy and work flow systems, as well as a formal PIA.

You also need to complete a new PIA if you are:

  • Adding or changing the way that you are collecting, using, or disclosing personal and health information
  • Applying for access to information sharing initiatives
  • Implementing a new customer records management (CRM) or Electronic Medical Record (EMR or EHR) system

 

Are you a vendor who supports a healthcare provider?  You can improve your marketability by demonstrating that you understand the importance of confidentiality and security by conducting a PIA on your services and sharing the PIA summary with your client.

It is important to conduct the PIA at the appropriate stage of the project lifecycle. Conducting a PIA too early in the project will be difficult because you will not have all the information you need to fully describe the project or to fully identify privacy risks and mitigation measures.  However, doing a PIA too late could mean having to make time consuming and expensive changes to applications, business processes, or other features that have already been completed.

The best stage to do a PIA is after all business requirements and major features of the project have been determined in principle, but before completing detailed design or development work to implement those requirements and features.  For long term projects, include in the PIA what you think will be included in the project in a 6 month time frame.  You may need to update your PIA after you have implemented the project and before you implement Phase 2.

Who Does the Privacy Impact Assessment?

Often, the Privacy Officer in your business completes the PIA with the help and support from the business unit and information technology department.  However, the business owner, custodian or CEO is responsible for the PIA.  In some regulated industries a PIA needs to be completed by an external third party.  Most often, the PIA can be completed by employees in the business.  There are on-line tools and training programs available to help you.

It's never too late to start a PIA!

If you have been in business for some time and haven't done a PIA yet, now is the time to get started.  It is important to remember that a PIA is not a static document. Just because you completed a PIA when you first opened your business doesn't mean that you are done.  You need to review, revise, or amend it when you  collecting information for a different purpose, sharing information in a different way, or when you implement a new EMR.

Demonstrate accountability to your business, business partners, and clients by protecting their personal information.  Avoid and mitigate your business risk by implementing good administrative, technical, and physical safeguards.  Do a PIA for your business.  And remember – you may not be able to do it all, but doing nothing is not an option.

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

"I did think that the info session was interesting on how many tools can be created and intertwined for the use of the patient. I do find the sessions good."

--Practice Management Nugget event, 'Engage your patients using automated tools' with Karol Clark

- Debra from Spruce Grove

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2022 Information Managers Ltd.

0 shares
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}