PIPA is extended for 6 months

Posted on November 11, 2014 by Jean Eaton in Blog

On October 30, the Supreme Court of Canada (SCC) granted a six-month extension which will allow the Government of Alberta to make amendments to the Personal Information Protection Act, 2003 (PIPA).

Yesterday’s decision was welcomed by Alberta’s Information and Privacy Commissioner Jill Clayton, “If PIPA is allowed to lapse, Alberta’s citizens and businesses will lose the unique benefits afforded by the legislation, including: mandatory breach reporting and notification to affected individuals, local enforcement without court involvement, and protection for the access and privacy rights of employees of provincially-regulated private sector businesses.”

PIPA applies to not for profit and private business sector in Alberta. For more information about PIPA, join us at the PIPA Conference in Calgary Nov 13-14.

Alberta, PIPA

Alberta’s Minimum wage increase Sept 1

Posted on September 28, 2014 by Jean Eaton in Blog

Did you know . . . Alberta’s general minimum wage increased to $10.20 from $9.95 per hour effective September 1, 2014.

For more information about Alberta’s Employment Standards, see http://work.alberta.ca/documents/Minimum-Wage.pdf

How savvy are you about your rights and responsibilities?

Take the on-line quiz at http://work.alberta.ca/workright.

Alberta, minimum wage, workplace

Netcare access to Registered Nurses as Custodians

Posted on September 22, 2014 by Jean Eaton in Blog

Are you a Registered Nurse and work in occupational health, at a First Nations care centre, at a remote nursing station, for a federal jurisdiction or for an authorized homecare service? Are you self employed?

If any of these describe your practice setting, you may be eligible to apply for access to Netcare as a custodian.

One of first things you need to do is submit a Privacy Impact Assessment (PIA) to the Office of the Information and Privacy Commissioner (OIPC).

Privacy Impact Assessment for Netcare (often bundled with EMR implementation Privacy Impact Assessment) must refer to Alberta Netcare Portal (ANP) Privacy Impact Assessment H3879. OIPC will not accept any PIA's referencing the ‘old’ Netcare PIA H1124.

If custodians (physicians, pharmacists, registered nurses, etc) have a PIA accepted prior to August 2012 and they want new / continued access to ANP they must amend their PIA and submit to OIPC.

Netcare (ANP) now requires all Provincial Organization Readiness Assessement (pORA) including completing “Section Two: Mandatory Security Requirements for S2S Sites”.

For more information, see

CARNA website and resources.

Information Mangers blog post, Do you have Netcare

Alberta, CARNA, HIA, Netcare, Registered Nurses

Do you have Netcare?

Posted on September 22, 2014 by Jean Eaton in Blog

Netcare's PIA Process

When we provide our personal and sensitive information to a healthcare provider, we want assurances that the confidential information will be respected. We expect that our information will only be shared with people who need to know the information to provide health services to us. Alberta's Health Information Act requires healthcare providers (custodians) to put appropriate safeguards in place to protect the privacy, confidentiality, and security of health information.

Alberta Netcare, also known as the Alberta Electronic Health Record (EHR), is a network of information systems that allows authorized users to see prescriptions, lab results, diagnostic images (e.g. x-rays and ultrasounds) and hospital reports (e.g. hospital discharge summaries). Netcare is used throughout Alberta in hospitals run by Alberta Health Services and Covenant Health and in medical clinics and pharmacies. This is managed by Alberta Health, Government of Alberta. Alberta Health Services (regional health authority), community pharmacies, labs and diagnostic imaging centres and other agencies upload patient information to Netcare.

Netcare Portal PIA

Each custodian is required by Health Information Act to submit a Privacy Impact Assessment to the OIPC. Alberta Health submitted a Privacy Impact Assessment (H1124) in 2006 for Alberta Netcare Portal (ANP) and an updated Privacy Impact Assessment (H3879) in March 2013.

Healthcare providers (custodians) who request access to Alberta Netcare Portal (ANP) must submit a Privacy Impact Assessment to the OIPC that documents the healthcare providers’ computer systems integration with Alberta Netcare.

If you have a previous Privacy Impact Assessment that was accepted by the OIPC regarding your access to Alberta Netcare Portal and it is less than two years old, you can submit a Privacy Impact Assessment Addendum. If you have previously completed a Provincial Organization Readiness Assessement (pORA) you will need to review and update the pORA including completing “Section Two: Mandatory Security Requirements for S2S Sites” and return it to Alberta Health for review and approval.

If you have not yet submitted a Privacy Impact Assessment

You need to submit a PIA to the OIPC for acceptance. This must reference the ANP Privacy Impact Assessment (H3879). You must also complete and submit a pORA including “Section Two: Mandatory Security Requirements for S2S Sites”.

Questions to ask:

1) When was the last time we reviewed our PIA? (This should be reviewed annually.)

2) Do we have / do we want access to Alberta Netcare Portal (ANP)? If ‘yes’, then:

3) Was your Privacy Impact Assessment accepted more than two years ago (before August 2012)? If ‘yes’, then

Review and amend your PIA and submit to OIPC including reference to ANP Privacy Impact Assessment H3879 and
Review your pORA including “Section Two: Mandatory Security Requirements for S2S Sites”. You will likely need additional support from your computer network vendor and your EMR vendor.

4) If you are a Registered Nurse and work in occupational health, at a First Nations care centre, at a remote nursing station, for a federal jurisdiction or for an authorized homecare service or self employed, you may be eligible to apply for access to Netcare as a custodian. The above steps also applies to you.

Please share this information with colleagues and your computer network support, EMR vendor, and privacy officer in your organization.

PS

Not all healthcare providers are custodians as defined by Health Information Act. For more information, see our blog, HIA Amendments and Document Management Tip

For more information see:

Alberta OIPC. Bulletin Health Information Act Bulletin August 2014 Update.

Alberta Netcare, Your System Integration with Alberta Netcare.

CARNA Netcare Access to Registered Nurses as Custodians.

Need to do a Privacy Impact Assessment or a Privacy Impact Assessment amendment? We have a course for that!

Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments – A Complete Step-by-Step Course

Alberta, E-course PIA; privacy impact assessment, HIA, Netcare, PIA, pORA, Practical Privacy Coach, privacy officer

Mandatory privacy breach reporting proposed for HIA

Posted on March 3, 2014 by Jean Eaton in Blog

Information and Privacy Commissioner Jill Clayton has written to the Minister of Health to formally request the Government of Alberta consider amending Alberta’s Health Information Act (HIA) to include mandatory breach reporting and notification provisions.

In the letter, items for consideration in an amendment to the legislation include who should be notified about a breach, what the triggers are for notification, what should be reported and in what time frame, and whether there should be penalties, sanctions or other consequences for failing to notify. A copy of Commissioner Clayton’s letter has been posted to the Office of the Information and Privacy Commissioner’s website at www.oipc.ab.ca.

There are several current legislation that requires mandatory privacy breach reporting including PIPA in Alberta. We have best practices to follow when we have a privacy breach involving health care. (See our Document Management Tip: Privacy Breach Reporting Form as a sample tool to follow).

In healthcare, we strive to pay attention to details to provide the best care and treatment for our patients and respect the privacy of their personal information. However, we are human and errors do happen. How ‘small' or ‘big' does a privacy breach need to be require notification to a regulator? What might be the implications to a business if they must report each privacy breach? Are there other alternatives to mandatory breach reporting that we should consider?

Send me a comment by email and we'll compile the list and add to a future article.

Related Articles:

When is a privacy breach a privacy breach?

Webinar March 25, 2014 – 3 Mistakes in managing a privacy breach

Alberta, healthcare, Practical Privacy Coach, privacy breach reporting

Stolen Laptop Results in Privacy Breach

Posted on January 25, 2014 by Meghan Davenport in Blog

A laptop with the unencrypted personal health information of 620, 000 Albertans was stolen in September of 2013.

The laptop, belonging to an information technology consultant for Medicentres, was stolen on September 26th, and contained the names, dates of birth, provincial health card numbers, billing codes and diagnostic codes of individuals seen at Medicentres between May 2, 2011 and September 10, 2013.

The process of notifying the public was delayed because Medicentres was trying to figure out how to best do it, chief medical officer Dr. Arif Bhimji said.

“…[T]his was the first time ever having to deal with this sort of situation and it took a lot longer than we would have liked it to take.”

Questions are now being asked as to why the consultant had access to so much information, and why the laptop's data was not encrypted.

Privacy Commissioner Jill Clayton is launching an investigation into the event, and the probe will also be taking a wider look of how privacy breaches are reported in Alberta.

For more information about this privacy breach, visit CBC.ca.

Are you concerned about what your organization would do in the event of a privacy breach? Would you know how to handle it? Visit our Training Calendar for more information about an upcoming webinar!

Alberta, breach, encryption, health information, privacy, privacy breach

PIPA Legislation Submission

Posted on January 15, 2014 by Jean Eaton in Blog

The Supreme Court of Canada recently declared that Alberta's Personal Information Privacy Act (PIPA) is in breach of s. 1 of the Charter. The Alberta legislature must now decide how to make the legislation constitutionally compliant.

PACC is a national, non‑partisan, non-profit association and the leading organization in Canada that is dedicated to access and privacy in both the private sector and the public sector. PACC is the certifying body for access and privacy professionals, and engages in outreach efforts to advance awareness about access to information and data privacy in Canada.

PACC is dedicated to ensuring the independent autonomy of Canada’s access and privacy professionals to administer Canadian privacy legislation, while directly and impartially addressing the needs of industry, the public and private sectors. PACC is preparing a submission to the review process and invites you to participate. For more information or to become a member of the PACC, visit www.PACC-CCAP.ca or their newsletter.

Questions to consider: What aspects of PIPA should remain unchanged, and why? What will be the positive and negative consequences of preserving these aspects as they now are. What aspects of PIPA should change, and in what way? What will be the practical effect of your proposed changes. What, if any, aspects of PIPA (Alberta), PIPA (BC), and PIPEDA ought to remain unique? What, if any, ought to use consistent language or definitions?

Alberta, PACC, PIPA, privacy legislation

Pharmacist Used Health Information for Personal Reasons

Posted on January 4, 2014 by Meghan Davenport in Blog

A Calgary pharmacist has been cited for using the health information of a patient in an attempt to establish a personal relationship with her.

The woman complained to the Information and Privacy Commissioner, alleging that the relief pharmacist employed at a pharmacy in Calgary, had contacted her twice by phone and attempted to “friend” her on Facebook.

The Health Information Act (HIA) prohibits employees from using health information for purposes not required to do their job. The investigation by the Privacy Commissioner found that the pharmacist misused health information, and that the pharmacy manager had failed to provide privacy and security training to the pharmacist.

The pharmacy had access to privacy policies and training but the pharmacist in question was not made aware of these policies by the pharmacist manager. The investigation concluded by reinforcing the need for following through on administrative and technical safeguards and training for all staff.

Do you provide privacy training for all of your staff – including professional healthcare service providers? How do you document that each staff has received the training? How often do you re-fresh or update the training? A privacy management program is an important part of your responsibility as a healthcare provider, practice management and business owner. See our training programs for additional resources you can use right away.

For more information, check out the full OIPC Investigation Report H2013-IR-02

You can also read the Calgary Herald article (Dec 17, 2013) here

Alberta, breach, complaint, Health Information Act, HIA, OIPC, privacy, privacy breach

What Makes a Good Salesperson?

Posted on December 11, 2013 by Meghan Davenport in Blog

Capital Ideas Edmonton is a place where Edmonton's entrepreneurs share what they know. Their event in November asked creative types to share what qualities a good salesperson needs. They came up with some great ideas:

Sell something that you'd want to own yourself
Have confidence to do what you want
Be authentic
Be honest – customers will trust your judgment and knowledge
Be friendly
And a tip from Jean Eaton: Be a Good Listener!

Jean at the Capital Ideas photobooth

See their latest article for more ideas here.

Attend their next panel event on December 18: “What Business Book Changed Your Life?” See their website for more information and to RSVP.

Alberta, Capital Ideas, Edmonton, What makes a good salesperson

Alberta’s Health Information Act (HIA) Amendment

Posted on October 3, 2013 by Jean Eaton in Blog

The Health Information Act (HIA) was amended was approved by Orders in Council on September 3, 2013.

The amendment includes:

Naming a non‑regional health authority Family Care Clinic approved by the Minister as a custodian. (HIA s2(1)(g)).

Disclosure of registration information – For the purposes of section 36(c) of the Act, a custodian may disclose individually identifying registration information about an individual without the consent of the individual

(a) to an ambulance attendant or ambulance operator under the Emergency Health Services Act,

(b) to the Minister of Health or Minister of Human Services for the purpose of administering the Aids to Daily Living Program, or

(c) to the Minister responsible for the Seniors Benefit Act and the Seniors’ Property Tax Deferral Act for the purpose of administering those Acts.

Remember to update your policies and procedures! See our Document Management Tip for a sample policy update that you can use to insert into your Health Information Management and Security Manual.

Alberta, Alberta HIA Amendment, amendment, custodian, Family Care Clinic, HIA, policies, templates

1 2 3