In our healthcare practices, we have policies and procedures to identify the reasonable safeguards we need to take to protect personal and health information entrusted to us. But when employees complete their roles off-site, due to personal circumstances or to ensure business continuity in unusual situations, we need to take action to ensure reasonable safeguards are in place to protect the privacy, confidentiality, and security of personal health information.
Remote Work May Be Available To Employees
Working from home is at the sole discretion of the custodian and owner of the clinic. Examples when this may be applicable include:
- Business continuity – due to technical, physical, or other unusual circumstances.
- Work levelling – volumes of work are distributed to another location usually for a short duration.
- Illness / personal circumstances – where an employee is unable to report to work at the clinic but can continue to complete their roles off-site.
Some administrative tasks in a healthcare office – for example, incoming phone calls, appointment booking, appointment reminders, billing, and/or transcription – could be done from a home office environment. Sometimes even follow-up and consultations from the healthcare provider can be done remotely, too.
The healthcare provider or custodian is ultimately responsible to ensure the secure collection, use, and disclosure of health information.
For the purposes of this article, the ‘custodian’ may be the healthcare provider defined by the HIA, or the lead healthcare provider or owner in your practice.
In Alberta, a ‘custodian’ is defined under the Health Information Act as a health services provider who is designated in the regulations as a custodian, or who is within a class of health services providers that is designated in the regulations. HIA section 1(1)(f)(ix)
This includes:
- Physicians
- Pharmacists
- Optometrists
- Opticians
- Chiropractors
- Midwives
- Podiatrists
- Denturists
- Dentists and dental hygienists
- Registered nurses
Is Remote Working Good for Your Business?
As the custodian, you must decide if remote working is a good option for your business. When you decide that this is a viable option for your business, you then need to:
- Determine if remote working is appropriate for your employees.
- Identify what clinic / business resources need to be provided to the employee remote worker.
- What reasonable safeguards need to be implemented to protect the privacy, confidentiality, and security of personal (health) information.
Likely you will continue to have both on-site and remote workers. The custodian will decide what ratio is appropriate to provide patient care and business goals on both a short term and a long term basis.
Regulations, Standards, Policy
Each healthcare business has multiple sources of sensitive information, including employee, financial, business, and health information. Custodians and owners have a responsibility under a variety of regulations, professional practice standards, and internal policies to protect the privacy, confidentiality, and security of personally identifying information (PII).
Health information is sensitive information. Reasonable efforts must be made to ensure that identifying and sensitive information is protected from unauthorized access, loss, or damage during and outside work hours. What a custodian may consider is reasonable efforts during a pandemic may be different than reasonable efforts from normal circumstances.
During a public health crisis, privacy laws still apply, but they are not a barrier to appropriate information sharing.
Privacy Impact Assessments
In Alberta, section 64 of the Health Information Act (HIA) requires custodians to prepare a privacy impact assessment (PIA) and submit it to the Office of the Information and Privacy Commissioner (OIPC) of Alberta prior to implementing a new administrative or technical process in a healthcare practice.
The OIPC in Alberta requests in its notice of March 19, 2020, that custodians notify the Commissioner about new administrative practices or information systems. Your submission to the OIPC should include a description of what the new program is meant to achieve and any safeguards for health information.
Standards
Your professional college may also have standards of practice and recommendations that impact your decision to implement remote working or virtual healthcare.
The Advice to the Profession series from the College of Physicians and Surgeons of Alberta (CPSA) offers guidance documents to assist you in assessing the security risks and safeguards of electronic communications, including laptops and mobile devices, to further assist you to determine appropriate safeguards.
From the College of Physicians and Surgeons of Alberta (CPSA):
Review Your Current Policies and Procedures
Don’t cut corners. Instead, build privacy into your decision. Create, review, and update your policies and procedures.
Use the Remote Worker Privacy and Security Checklist to help you document your decisions and expectations with eligible employees.
You may also need to consult your information technology support providers to ensure up-to-date computer and network security has been implemented.
Virtual Healthcare
Healthcare providers may consider providing virtual healthcare services to their patients. The healthcare provider may be at their usual clinic or office location and use all of their existing systems and tools to access patient records in paper or electronic medical records (EMR).
Alternatively, the healthcare provider may be working remotely, too. The same privacy, confidentiality, and security safeguards applies to their home working location.
If you are choosing to implement a new virtual healthcare solution specifically to respond to the current public health emergency, the Office of the Information and Privacy Commissioner (OIPC) of Alberta advises that
“ . . .custodian[s] need to determine what are reasonable safeguards in the circumstances and be prepared to justify their decision. Health custodians should also ensure individuals are aware of any heightened risks to privacy as a result of a new administrative practice or information system being implemented.”
Remember, you can leverage existing technology – like the telephone – to keep in touch with your patients. This likely would not be considered a new administrative or technological practice that would require a PIA. This might also be a great time to fully implement your current patient portal functionality from your EMR vendor, too.
You may decide, based on your evaluation of the potential risks and what reasonable safeguards that you can quickly implement in response to the new public health emergency, that authorizing remote working or a new videoconferencing solution is not the best choice at this time.
Select the process that ensures continuity of care to the patient, including appropriate documentation in the patient record and the protection of the PII.
Reference
Notice: PIAs During Public Health Emergency, March 19, 2020, Office of the Information and Privacy Commissioner (OIPC) of Alberta
The Practice Management Success Tip, Remote Worker Privacy and Security Checklist, will help you
- Determine if remote working is appropriate for your employees.
- Identify what clinic / business resources need to be provided to the employee remote worker.
- What reasonable safeguards need to be implemented to protect the privacy, confidentiality, and security of personal (health) information.
Did you enjoy this article? If you’d like to look at similar posts, visit these links:
What Should I Do If I Think I Have COVID-19?
Do You Know Where Your Policies and Procedures Are?