Information Managers
  • Home
  • Services
    • All Services
  • Blog
  • Upcoming Events
  • Contact Us
  • Practice Management Success
  • Podcasts

Recent Privacy Breach Convictions Under Alberta’s Health Information Act

Posted on October 15, 2019 by Jean Eaton in Blog

In August 2018, Alberta proclaimed amendments to the Health Information Act (HIA) that requires healthcare providers (custodians) to report a privacy breach with a risk of significant harm to the Office of the Information and Privacy Commissioner (OIPC), the Ministry of Health of Alberta, and of course, to patients affected by the privacy breach.

This requirement that custodians must report a privacy breach to the to the OIPC has resulted in a huge increase in the number of reported privacy breaches in healthcare.

Custodians includes healthcare providers like physicians, pharmacists, chiropractors, dentists, optometrists, registered nurses, health authorities, and more

This is not unexpected. We in healthcare know that there are many privacy breaches that happen everyday. Many of these breaches are honest mistakes. However, an increasing number are intentional, malicious actions intended to harm others.

The benefit of having these breaches reported to a regulator is to improve compliance to reasonable safeguards to protect the health information of Alberta residents. And, as a result, more custodians and affiliates (people that work for a custodian) are being held accountable under the HIA legislation to ensure that they are meeting the reasonable safeguards.

In the first year of mandatory privacy breach notification, the OIPC has received over 1,000 reports. Previously, when privacy breach reporting was discretionary, the OIPC received an average of 130 voluntary reports of privacy breaches annually.

​

What Happens When A Privacy Breach Is Reported To The OIPC

When a privacy breach is reported to the OIPC, the OIPC will review the report and consider the custodian’s determination if a reasonable risk to the patient(s) was present. The OIPC will review the report and consider:

  • agree (or not) with the determination of risk of harm
  • was the patient notified appropriately
  • is there an offence under the HIA
  • is an investigation warranted

If an investigation is indicated, the OIPC will conduct the investigation and report their findings to the Crown prosecutors at Alberta Justice. The Crown will determine if it will continue to press charges under the HIA.

Under the recent amendments to the HIA a custodian or an affiliate or both could if found guilty of an offence is liable for a fine anywhere between $2,000 to $500,000 depending on the circumstances and the nature of the offense. Other sanctions may also be applied by the court.

It takes time to report a privacy breach, have it reviewed and investigated by the OIPC and the Crown, and have individuals charged and appear in court.

We are now starting to see the first cases charged after the August 2018 amendments coming to court and privacy breach convictions under the HIA.

Unauthorized Access By Employees

During a routine internal audit of health records in the Alberta Public Laboratories clinical lab at the Red Deer Regional Hospital identified unauthorized access by lab employees. These breaches were first identified by the hospital during a routine audit of their electronic record systems. The internal investigation between December 2018 and May 2019 identified 2,158 patient records were accessed. Alberta Health Services reported that 30 staff were involved in these breaches and three staff are no longer employed by the lab.

Do you do routine audits? Here’s how.

There have been three recent decisions in from the Alberta provincial courts as a result of mandatory privacy breach reporting legislation.

Suspicious Activity Leads to Investigation And Charges

In June 2018, Alberta Health Services (AHS) received reports of suspicious activity by a billing clerk in Red Deer. An internal audit and investigation indicated that the clerk accessed the health records of 52 Albertans without authorization. AHS reported the breaches to the OIPC in June 2018.

The OIPC opened an offence investigation and referred its findings to the Specialized Prosecutions Branch of Alberta Justice. Charges were laid in July 2019. The former AHS billing clerk received a $5,000 fine on August 2019 and was ordered not to access health information for one year.

Snooping By A Clinic Employee

In another case, an Edmonton medical clinic employee was fined after pleading guilty to health data breach. The employee knowingly accessed health information of two people and made suspicious statements to the two individuals about their personal medical details. The individuals then requested access to the audit logs and the provincial electronic health record system, Alberta Netcare.

The individuals reported a complaint to the OIPC at which point the OIPC conducted an investigation.

The employee was charged in March 2019 and plead guilty in provincial court on September 26, 2019. She was fined $3,500 and ordered to pay a victim surcharge of $525.

Are Your Employees Privacy Aware? Start now!

Unauthorized Access By A Billing Clerk

On September 30, 2019 in Red Deer Provincial Court a billing clerk with Alberta Health Services was fined $8,000 for illegally accessing health records. The clerk opened health records of 81 people over 4,7471 occasions without authorization from his employer and custodian. The court also added the following conditions

  • 1-year probation
  • order to attend treatment and counselling and
  • not be employed in a position that allows him access to health information for 1 year

We will continue to see investigations under the HIA at appearing in our courts. The OIPC is currently investigating over 20 incidents and has flagged 70 more as potential offences.

Each of these incidents involved employees making poor choices about accessing patient health information. Reasonable prevention steps include privacy awareness training for every employee, healthcare provider, and contractor. In addition, every healthcare practice should be, monitoring access to records with routine audits and applying sanctions.

We obviously don’t speak often enough about what is acceptable, appropriate, and authorized access to patient’s health information.

Preventing a privacy breach is always less expensive than managing a privacy breach.

A privacy breach management plan will help you to prevent a breach and, when a breach happens, identify a privacy breach early to limit the risk of harm, size, and the cost of the breach.

 

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE 15 Minute Training Video "Can You Spot the Privacy Breach?"

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Not sure what is considered a privacy breach? See When is a Privacy Breach a Privacy Breach?

 

References

CBC News. Investigation finds improper access to patient records at Red Deer hospital. Posted: Oct 04, 2019 12:48 PM MT | Last Updated: October 4 https://www.cbc.ca/news/canada/edmonton/red-deer-patient-records-breach-1.5309419

CBC News. Edmonton medical clinic employee fined after admitting to health data breaches. Posted: Oct 03, 2019 10:56 AM MT | Last Updated: October 3 https://www.cbc.ca/news/canada/edmonton/health-information-alberta-access-1.5307453

CBC News. AHS billing clerk fined $8,000 for illegally accessing health records Posted: Oct 09, 2019 10:47 AM MT | Last Updated: October 9. https://www.cbc.ca/news/canada/edmonton/ahs-billing-clerk-fined-8-000-for-illegally-accessing-health-records-1.5314783

CBC News. Jennifer Lee. Reports of health-care privacy breaches spike in Alberta. Posted: Oct 11, 2019 5:00 AM. https://www.cbc.ca/news/canada/calgary/health-care-privacy-breaches-spike-alberta-1.5316230

clinic, custodian, health, Health Information Act, healthcare, HIA, mandatory privacy breach notification, medical, physicians, privcy breach, reasonable safeguards

Healthcare Policies And Procedures: Essential in EVERY practice

Posted on October 8, 2019 by Jean Eaton in Blog

Policies and Procedures: What Are They and Why Do Healthcare Practices Need Them?

 

Policies and procedures are essential tools in EVERY healthcare practice.

We use written policies and procedures to ensure consistent office procedures and good communication between team members, but it doesn’t stop there.

Before we get to the many benefits of healthcare policies and procedures, let’s cover exactly what these terms mean.

Policies and procedures defined

For our purposes today, this is what we mean by these terms:

Policy: A set of ideas or plans that is used as a basis for making decisions.

Procedure: A fixed, step-by-step sequence of activities or course of action.

Both policies and procedures serve several important purposes in a healthcare practice.

Policies and procedures can help you:

  • Protect your practice with consistency in decision making and implementing routine tasks.
  • Provide team members direction and guidelines; help avoid micromanaging. Here’s more information on how policy and procedure checklists help with employee privacy and security.
  • Ensure quality and cost-effective processes.
  • Well thought out policies and procedures reduce re-work and make for more efficient practices.
  • Encourage team members to work to their full scope of responsibilities.
  • Contribute to compliance, including professional standards, HIA, insurance.
  • Protect your healthcare practice by demonstrating your administrative safeguards.

As powerful and effective as policies and procedures can be, they can also pose certain problems or risks if they’re not implemented properly — or if they don’t exist in the first place.

On that note, if you have policies and procedures in place, it’s also imperative to know where they are. Don’t miss this cautionary tale where I tell you why.

If your policies and procedures are unclear or non-existent, these are some of the risks you expose a healthcare practice to:

  • Fines and even jail time for the healthcare provider
  • Increased conflict and potential for misunderstanding within a practice
  • Increased conflict between employees, misunderstanding, and poor customer service
  • Poor business decisions and wasted time and money 

Simply talking about your policies and procedures is not a good business strategy! You need to have clear healthcare policies and procedures in place if you want to reap all of their benefits.

So, let’s go over what makes a good healthcare policy with a clear and effective design.

Policies ask WHY and WHAT

Policies are the steps to put your goals into action — policies are proactive.

The WHY: Why is this policy needed? It is the general guide for decision-making.

The WHAT: What do you want to show for programs, activities, and services?

Each year, policies need to be reviewed and authorized by the clinic manager, privacy officer, healthcare provider and/or owners. Your team members need the opportunity to review and understand the policies regularly, too.

Review policies to assure that they reflect what the clinic is doing and that the clinic is following the written policy. Changes may need to be completed and approved.

Now, let’s cover what makes for good procedures before we get to how to create your manual.

Procedures ask HOW

The HOW: How you plan to carry out the objectives and details listed in your policies?

Your procedures should include sufficient detail so a new employee can complete a task based on the information provided.

We’ve discussed the objectives of your policies and procedures for your healthcare practice, now here are some useful tips for actually creating your policies and procedures manual:

  1. Include screen prints if computer-based.
  2. Include video explanations.
  3. Format the policy and procedures so that each policy or procedure is a separate, stand-alone document.
  4. Assign a NUMBER to each policy and procure to make it easy to reference in your PIA, or direct your staff to review. You can use any numbering system that you want — I usually use a sequential numbering system.
  5. Headings make it easier to group your information which makes it easier for the reader to review and then focus on the details that they need. Repeat the same headings throughout the policies and procedures to provide consistency across the manual. Use the headings as needed; not all policies or procedures need all the headings.
  6. Cite legislative and standards requirements, like the HIA.

When you’re implementing changes to these policies and procedures or creating them in the first place, be sure to involve key parties. This includes:

  • Custodian/trustee/business owner
  • Clinic manager/team lead
  • Privacy officer

Remember, implementing a new procedure or policy successfully must always include training and discussion with your team.

Stay tuned for an upcoming post where we discuss which policies and procedures to include In your healthcare practice and your privacy impact assessment.

​

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

 

Safeguards: The What, Why, and How

When Do You Need a PIA Amendment?

When is a Privacy Breach a Privacy Breach?

clinic, custodian, health, Health Information Act, healthcare, HIA, medical, physicians, PIPA, Policies and procedures, Privacy Impact Assessment, reasonable safeguards

Why Do You Need Health Information Policies and Procedures?

Posted on September 24, 2019 by Jean Eaton in Blog
1shares
  • Share
  • Tweet
  • Pin

Maybe you’ve heard you need written policies and procedures for your health information, but you’re left asking yourself why it’s so important?

The truth is, without written policies and procedures, you open a healthcare practice up to a whole host of problems, including major legal issues.

In fact, every business needs good practices that apply to your:

  • Information that you collect from patients/clients
  • Website
  • Email
  • Business practices including electronic (or paper) patient records, and computer network
  • Financial information
  • Billing, collection, and payment processing

Within the healthcare industry, there are additional legislation requirements that require specific written health information policies and procedures.

The Health Information Act (HIA) and the Personal Information Privacy Act (PIPA)

As we mentioned, when a custodian collects health information, you must follow the Health Information Act (HIA) in Alberta.

Like most other private businesses in Alberta, private healthcare practices must also comply with the Personal Information Privacy Act (PIPA).

The colleges of regulated health professionals (like the Alberta Dental Association and College (ADAC) and the College of Physicians and Surgeons of Alberta (CPSA), require dentists and physicians to meet the standards of practice which includes compliance to HIA and PIPA legislation.

In addition, the college has other standards of practice that you must meet, including policies and procedures for the collection, use, disclosure, and access of health information.

So, let’s explore further why written policies and procedures are so essential, as well as what can happen without them, and why healthcare practices may not think they need them in the first place.

Benefits of Policies and Procedures

One of the most critical benefits of having policies and procedures in place is that they’re good for business.

Here’s how:

  • They contribute to consistent, efficient workflow.
  • You can figure it out once, write the procedure, tweak it to make it better, and then repeat the same procedure again and again.
  • They help you make better business decisions, like buying supplies, choosing services, and selecting vendors.
  • They help support your accreditation efforts.
  • On-boarding employees the right way with no missed steps is much easier with policies and procedures in place.

If you’re looking for even more proof of the benefits of having written procedures, it can also help you avoid:

  • Internal disputes within your team and external disputes with your patients and clients
  • Re-work and re-training employees
  • Poor customer service
  • Poor reputation
  • Fines and penalties

Fines And Penalties For Not Having Written Policies And Procedures

You might be wondering why you would face fines and penalties for not having written policies and procedures in the first place.

The HIA requires the custodian – which includes the dentist or dental hygienist – to take reasonable safeguards to protect the privacy and confidentiality of patients’ health information.

Having written policies and procedures is a common, expected, and reasonable safeguard.

Let’s say you have a privacy breach in your practice or an error (like sending a fax to the wrong number or you are a victim of a phishing or ransomware attack).

You can learn more about what makes a privacy breach a privacy breach here.

If you can’t demonstrate that you had the appropriate reasonable safeguards, like written policies and procedures in place, you are guilty of an offence under the law.

It’s illegal not to have policies and procedures when you collect health information.

If you are guilty of this offence, you are liable for a fine of a minimum of $2,000 and not more than $500,000. (HIA section 107(7)).

3 Policies and Procedures Myths

One reason some healthcare practices fail to have written policies and procedures is because they believe they don’t need them.

Often, this is because they’ve fallen prey to the common myths about policies and procedures.

There are 3 of the common myths that stop healthcare providers and their clinic managers from creating written policies and procedures:

  1. It’s Too Hard

While it does take some skill to write clear, easy to read, and easy to understand policies and procedures, it doesn’t have to be heard. In fact, you can even purchase templates to make this easier. 

  1. It Takes Too Much Time

Writing policies and procedures does take some time.

But investing the time to create policies and procedures pays off by preventing suffering from inconsistent or broken procedures, using or disclosing health information in error, and having to pay fines, penalties, public relations nightmares, or spending the time required to run a privacy or security investigation.

  1. It’s A Waste Of Time

Here are a few good reasons that prove writing policies and procedures is not a waste of time:

  • Practical privacy policies and procedures will create a more efficient practice and help you make better business decisions.
  • The policies and procedures become the foundation of your privacy impact assessment.
  • Policies and procedures are pre-requisites for other initiatives, like access to Netcare or other community integration initiatives, and privacy impact assessment (PIA). Click here to learn more about PIAs.
  • You must have them as part of your legislative compliance.
  • It’s the law. Not having policies and procedures regarding the collection, use, disclosure, and access of health information is illegal.

As you can see, written policies and procedures help ensure consistent office procedures and good communication between team members in your healthcare practice.

In addition to those good reasons, you must have good written policies and procedures about how you collect, use, disclose, and provide access to health information to avoid legal problems, fees, penalties, and other problems.

If you need templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership. These tips, tools, templates, and training will help you save time and money to develop and maintain policies and procedures in your healthcare practice.

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies and Procedures Are?

When Do You Need a PIA Amendment?

What is a PIA?

Alberta, clinic, custodian, health, Health Information Act, healthcare, HIA, medical, physicians, PIPA, Policies and procedures, privacy, Privacy Impact Assessment, reasonable safeguards

Do You Use Employee Privacy and Security Policy and Procedure Checklist Templates?

Posted on September 12, 2019 by Jean Eaton in Blog

Why Do You Need Employee Onboarding and Exiting Checklists?

There is much excitement when we welcome a new hire to our team and many administrative tasks need to take place to get this individual up and running.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed to protect patient privacy as required by our professional colleges and privacy legislation. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

To ensure that onboarding a new employee is a smooth transition, it is imperative to follow a practical checklist procedure to make sure no important steps are missed. There are also many other managerial benefits to adopting this high-quality process

  • Better job performance and satisfaction
  • Greater commitment to protecting privacy in the organization
  • Reduced stress and better staff retention

Employee Privacy and Security Checklist

Policies and procedures is a reasonable safeguard to protect the personal and health information entrusted to us. But polices and good intentions alone is not enough; we also need to take action to ensure our policies are understood and being followed by all our employees.

Training new and existing staff on privacy and security best practices is instrumental in making your healthcare practice a success and maintaining its fine reputation. Following a systematic approach to welcoming a new employee, transitioning an existing employee into a new position, or offboarding an employee who is exiting will guarantee that valuable privacy and security training and accesses are completed.

Read this Privacy Breach Nugget that explains what can happen if you don’t have these good practices in place. Do You Know Where Your Policies And Procedures Are? 

New Employee Orientation / Onboarding

New employees are a welcome addition to any team and there is a vast amount of training that needs to take place from general procedures on how to handle phone calls to signing confidentiality oaths to becoming familiar with all policies and procedures, in addition to learning the everyday job duties for their own position.

Since privacy is good for business, we do not want to miss any important opportunities to train our new staff on privacy and security best practices. Using the Employee Privacy and Security Checklist will help facilitate training discussions and document the authorized accesses of each employee.

Existing Employees / Annual Review

The checklist will also act as a tool for each employee at their performance review. Provide positive feedback and observations of an employee’s successes in protecting personal information. Discuss opportunities for improvement, too. This is also a good time to review an employee’s current authorized role based accesses and determine if any changes to match the employee’s current job duties is needed.

Ensure that the employee still has ‘tokens’ that they were given at the time of their hire, like identity badge, keys to the clinic or Alberta Netcare RSA fob.

Privacy and security best practice dictate that confidentiality oaths should be signed on an annual basis and annual privacy awareness and security refresher training should also be provided to all employees. In the event of a privacy incident or breach, it is imperative that a healthcare practice can prove by their documentation that regular privacy and security training is provided to their staff.

Transferring / Exiting Employees

When an employee transitions into a new role or is terminated, review, and update the privacy and security checklist to ensure that access and permissions are appropriately modified or terminated.

Custodian Responsibility

Custodians have an obligation to ensure reasonable safeguards to protect the privacy and security of health information. This includes having appropriate policies and procedures in place, as well as demonstrating and documenting that you have implemented your plans. This is a requirement of professional college standards of practice and privacy legislation like the Health Information Act (HIA).

See the article Do You Know Where Your Policies And Procedures Are? to learn what can happen to you if you don’t have your employee training process well documented

The Employee Privacy and Security Checklist will make it easy for you to ensure your new hires, existing employees, and transferring or exiting employees are privacy and security compliant.

 

Download the FREE Report - Employee Privacy and Security Policy and Procedure Checklist Template

If you are a member of Practice Management Success, login and access the webinar replay, and the policy, procedure, and checklist template.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security expecially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

 

 

clinic, health care, healthcare, medical, policy, Practice Management Success, privacy, procedure, template

Do You Know Where Your Policies And Procedures Are?

Posted on September 2, 2019 by Jean Eaton in Blog

This is a cautionary tale.

And it could save you a lot of embarrassment – even legal issues.

The way a healthcare provider collects, uses and discloses personal health information (PHI) is critical to an efficient healthcare practice. 

It’s also required by legislation and professional college regulations and standards.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. #PoliciesClick to Tweet

Don't let this happen to you!

Everyone in a healthcare practice — including front office staff, wellness practitioners and physicians and other custodians — must be aware of and follow these policies and procedures.

These policies and procedures also become the foundation of your privacy impact assessment (PIA).

That’s why, in this Privacy Breach Nugget, we’ll review a privacy breach investigation report from Alberta's Office of the Information and Privacy Commissioner (OIPC). Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

This report started with an employee suspected of accessing health information for an unauthorized purpose. 

It started with at the clinic with a conflict between the employees and the employer.

An employee (Employee A) was on leave from her position at the clinic. Her access to the electronic medical record (EMR) was suspended during her leave.

Employee A wanted to access patient information to support her dispute with management. Over two months, Employee A used Employee B’s credentials to access patient records.

This action is in contravention of the Health Information Act (HIA) sections 27 and 28.

This is where this case becomes even more convoluted and, in fact, a better case study of what not to do.

Employee Dispute

Understanding the Health Information Act

The Health Information Act (HIA) requires the custodian (the physician, in this case) to take reasonable steps to maintain administrative, technical, and physical safeguards to protect patient privacy as required by sections 60 and 63 of the HIA, and section 8 of the Health Information Regulation.

In November 2013, the clinic submitted a privacy impact assessment (PIA) to the OIPC prior to its implementation of an electronic medical record (EMR).

The PIA included written policies and procedures.

The letter to the OIPC accompanying the PIA was signed by two physicians, as well as Employee A who was the privacy officer at that time.

The physician named in the investigative report is not the current custodian at the clinic. The physician was hired in 2015 and therefore not a member of the clinic in 2013 and not involved in the initial PIA submission.

During the investigation, both employees indicated that the policies and procedures to protect patient privacy were in a binder in the clinic, but it was never used or shared with the staff.

Oaths of confidentiality may have been previously signed by the employees, but the documents could not be produced during the investigation.

Section 8 (6) of the Regulation states the ‘custodian must ensure its affiliates are aware of and adhere to all of the custodians administrative, technical, and physical safeguards in respect of health information.’

It’s common practice for clinics to require employees to sign confidentiality agreements and ensure that they receive patient privacy awareness training with regular updates.

But in this investigation, the employees said they never received privacy awareness training.

Policy and Procedure Manual

Access To Patient Information

The employees also stated it was common practice at this clinic for individuals to not log off of their EMR account on the computers at the reception desks. It was common practice for other employees to access an open session to quickly perform a task in the EMR.

The investigator concluded that the physician was in contravention of the HIA section 63(1) which requires custodians to establish or adopt policies and procedures that would facilitate the implementation of the Act and regulations.

These specific findings were made:

  • The custodian failed to ensure the clinic employees were made aware of and adhered to the safeguards put in place to protect health information in contradiction contravention of section 8(6) of the regulation.
  • The custodian was in contravention of section 8(6) of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to all of the custodian’s administrative, technical, and physical safeguards with respect to health information. It’s important to note any collection use or disclosure of health information by an affiliate of a custodian is considered to be the collection, use, and disclosure by the custodian.
  • The custodian failed to ensure the employee and the other clinic staff adhered to technical safeguards as required by section 60 of the HIA and section 8(6) of the regulations.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Get Your Privacy Documents In Order

To protect yourself and your practice from patient privacy breaches (and massive fines, see the conclusion to this article), follow these steps. 

  1. Find your policies and procedures and review them with all staff and custodians. Make sure you document that this has been done.
  2. Review and update your privacy awareness training and ensure all staff, including custodians, have completed this recently. Make sure you have this documented, including certificates of attendance if available.
  3. Oath of confidentiality documents should be signed by all of all clinic staff and custodians and maintained in a secure location.
  4. Review your privacy impact assessment and ensure all of your current custodians have read this and understand it. Visit this post for more information to help you determine if you need a PIA amendment.

Monitor

This incident occurred in 2016. The OIPC office did not recommend any additional sanctions against the clinic, physicians, or employees.

To get templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership

New Amendments To The HIA

This case might have turned out differently today.

New amendments, as of 2018, provide a provision for fines under the HIA ranging from $2,000 to $200,000.

The public — and our patients — expect and trust us to make sure that their personal health information is kept secure and confidential.

It’s our responsibility to make sure we have these administrative, technical, and physical safeguards in place and are maintained in a consistent fashion.

When you've done the hard work to implement your patient privacy policies and procedures and your privacy impact assessment, make sure you continue your journey and keep these documents up-to-date and current. To help you, sign up for the Practice Management Success Membership.

There are many patient privacy breaches in the news each day, and you never know when it could happen to you.

The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain. If you need to prepare your privacy breach management plan, start your on-line training 4-Step Response Plan right away!

If you need templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership. These tips, tools, templates, and training will help you save time and money to develop and maintain policies and procedures in your healthcare practice.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE Training Video "Can You Spot the Privacy Breach?"

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Safeguards: The What, Why, and How

When Do You Need a PIA Amendment?

When is a Privacy Breach a Privacy Breach?

References and Resources

Alberta Office of the Information and Privacy Commissioner. Investigation Report H2019-IR-01 Investigation into alleged unauthorized accesses and disclosures of health information at Consort and District Medical Society Clinic. May 21, 2019. https://www.oipc.ab.ca/media/996888/H2019-IR-01.pdf 

#PrivacyBreachNugget, Alberta, clinic, custodian, health, Health Information Act, healthcare, HIA, medical, Patient privacy, physicians, Policies and procedures, Prevent privacy breaches, privacy, privacy breach, Privacy Impact Assessment, reasonable safeguards, templates

Privacy Principles Applies After Death

Posted on August 5, 2019 by Jean Eaton in Blog

Are your staff looking at medical records when they shouldn’t be?

Many people have the mistaken impression they can look at a patient's medical records as long as they don’t tell anyone else.

You can’t.

We see over and over again in ‘snooping’ cases where seasoned and new healthcare providers and support team members don’t realize that looking at patient’s health information without a need to know that information to provide a health service right away is wrong.

Kate Dewhirst summarized this as

  • Privacy = don’t look
  • Confidentiality = don’t tell

We still need privacy awareness training – even those experienced healthcare providers who push back and say that they have been in the business for years still often have more to learn.

Yes, we still need privacy awareness trainingClick to Tweet

In this post I am sharing an example of the Ontario’s Information Privacy Commissioner (IPC) complaint investigation from the family of a deceased individual. Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

In 2014, a physician acting in his role as a coroner, accessed the deceased’s health record. Shortly thereafter, the family alleged that the physician, who was also a family member of the deceased, continued to access the deceased’s personal health information (PHI) contrary to Ontario’s Personal Health Information Protection Act (PHIPA).

The family submitted a complaint to the hospital. Initially, the hospital's response did not satisfy the family. The family filed a complaint to the Information and Privacy Commissioner (IPC) of Ontario.

The IPC started a complaint investigation.

Privacy Breach Investigation

Privacy Complaint Investigation

Under PHIPA, the hospital is a health information custodian and the physician is an agent of the hospital.

During the IPC investigation, the physician confirmed he “accessed the health information in response to his concern about the individual’s well-being.”

“I know now that proceeding in this way was misguided and wrong.” He would never disclose the information to anyone; that would be a violation of patient privacy and a breach of doctor – patient confidentiality.

The physician acknowledged he did not fully appreciate the related but distinct concepts of patient privacy, the circle of care, and the ‘need to know’ principle.

Confidentiality rights arise out the special relationship between the client and the health professional or provider.

In contrast, privacy rights are the general rights of all persons to limit the access to their PHI. Individuals have the right to privacy, even after death.

Individuals have the right to #privacy, even after death. Click to Tweet

4 Step Response Plan

The hospital received a complaint from the family, which triggers the first step to spot and stop the breach.

Secondly, the hospital did an initial investigation to evaluate the risks of the incident. Later, after the IPC initiated their complaint investigation, the hospital re-visited the internal investigation and completed a comprehensive review and used audit log reporting tools to assist them.

Eventually, the hospital took the third step and notified the individuals’ family of the privacy breach. However, the notification was not timely. A more comprehensive response to the families’ complaint, followed by a notice to the family may have provided a better response.

Preventing a similar breach is the fourth step.

Since this incident, the hospital has:

  • installed a new auditing program that considerably enhances its ability to detect unauthorized access.
  • updated its Privacy and Confidentiality Policy, which applies to all agents of the hospital.
  • developed a yearly electronic privacy training program for all staff, volunteers and learners and will require all credentialed physicians to complete this training as part of the annual reappointment process.
  • strengthened the privacy warning on its electronic system, which warns users that unauthorized use of personal health information may result in disciplinary action.

Privacy Breach Physician Sanctions

 

The hospital’s Medical Advisory Committee recommended to the Board of Directors that the physician’s privileges be suspended for three months, that the hospital conduct enhanced monitoring of the physician’s access to the electronic medical record for three years, and that, on his return to practice, the physician be required to present at Grand Rounds on the topic of privacy.

The IPC concluded that the disciplinary consequences for the physician were sufficient in the circumstances.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Privacy awareness education is more than just having policies and procedures. Demonstrating good practices, regular discussion about examples, and even gamification helps to ensure that all members of your healthcare team understand their roles and responsibilities.

If you need to start or update your privacy awareness training program, check out the on-line education Privacy Awareness in Healthcare: Essentials.

If you need to start or update your privacy breach management program, check out the 4 Step Response Plan; Prevent Privacy Breach Plan.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE Training Video "Can You Spot the Privacy Breach?"

References and Resources

Dewhirst, Kate. After Death: Who Can Access The Records Of A Patient After Death? May 7, 2019. https://katedewhirst.com/blog/2019/05/07/after-death-who-can-access-the-records-of-a-patient-after-death/

Ontario Information and Privacy Commissioner IPC Investigation Report PHIPA DECISION 74 HC15-4 Sault Area Hospital August 10, 2018.

#PrivacyBreachNugget, 4 Step Response Plan, clinic, complaint investigation, death, deceased, healthcare, IPC, medical, Ontario, PHIPA, privacy, privacy after death, privacy awareness training, privacy breach, privacy breach nugget, privacy principles

When Do You Need a PIA Amendment?

Posted on July 23, 2019 by Jean Eaton in Blog

A Privacy Impact Assessment Is Good For Business

A privacy impact assessment (PIA) is part of a regular business process if you collect, use, or disclose personal health information in your healthcare practice. When you have a previous PIA that has been prepared, submitted to the Office of the Information and Privacy Commissioner (OIPC) and it has been accepted for use–well, that is not the end of your PIA journey.

You need to ensure that you are updating and amending your PIA as your practice matures and as you make administrative and technical changes to the procedures in your practice.

You need a PIA Amendment when you have a previously accepted PIA and any one of these common triggers below.

You Have a PIA That Was Written More Than 2 Years Ago

It is time to review and update this!

Under Section 8(3) of Alberta’s Health Information Regulation, custodians must periodically review the safeguards they have in place to protect health information privacy. This means that custodians need to regularly review the privacy risk mitigation plans set out in PIAs to ensure they continue to protect against reasonably foreseeable risks to the privacy of health information. The submission of your PIA to the Office of the Information and Privacy Commissioner (OIPC) is mandatory and must precede implementation of your new system or practice.

Change in Health Information Act (HIA) Legislation and Regulations

The HIA has undergone significant amendments in 2006, 2010, most recently in August 2018. Make sure that you have updated your privacy breach management program and include mandatory privacy breach notification to the (OIPC) and the Minister of Health (MOH). Again, ensure that your team training has been updated so that they know how to spot, stop, and report a privacy breach. (See Mandatory Privacy Breach Notification)

Changes In Your Electronic Medical Record or Computer Network

You have the same EMR database, but maybe the configuration has changed. For example, a change from a local to an application service provider (ASP) or cloud-based data centre or Software as a Service (SAS) model would trigger a PIA amendment.

Another trigger is a change in your computer network vendor or changes in wireless networking, remote access, or implementing mobile devices.

PIA amendment EMR computer network

Change in Participating Physicians / Privacy Officer

Since your original PIA, you may have new custodians, including physicians, registered nurses, chiropractors, and other health professionals named in the HIA that have joined or left your practice. Your Privacy Officer may have changed, too. Your amendment should include an up-to-date listing of custodians and privacy officers.

New Users / Information Sharing

There have been many recent information sharing initiatives in healthcare. You might now plan to participate in evaluation projects, patient panel management, or other community initiatives. Make sure that you have your PIA amendment and information manager agreements completed, too. (See – The Top 3 Agreements Your Healthcare Practice MUST Have (and Why).

A quick word of caution: if your new information sharing project includes data matching–the creation of new information by combining two or more sets of data—requires custodians to prepare a privacy impact assessment before performing data matching involving health information (HIA sections 70, 71). The custodian that carries out the data matching is responsible for preparing the Privacy Impact Assessment.

PIA amendment new users

Communicating With Patients

If you are adding new technology to keep in touch with patients for appointment reminders, on-line appointment booking, secure email or patient portals, these will trigger a PIA amendment or, perhaps, a project specific PIA. Make sure that your policies and procedures are up to date, too. (See – Can You Use Text Message With Your Patients? )

PIA Amendment Communicating with patients

Alberta Netcare Portal (ANP) / Community Integration Initiative (CII) / CPAR

ANP updated their PIA in 2016 and, therefore, you need to make sure that your corresponding policies and procedures and training have been updated, too. Remember – when you agreed to participate in ANP, you promised that you would review your threat risk analysis (TRA) and update your Provincial Organization Readiness Assessment (p-ORA) when changes occur and at least every two years.

If you want to participate in new initiatives like CII and CPAR, you need to review and update both your PIA and your p-ORA, too.

Maturing Practice

You have learned and grown since your original Privacy Impact Assessment submission. Have you implemented everything that you said that you would? Can you demonstrate that your teams have received privacy and security awareness training? Have you reviewed your Health Information Management Privacy and Security policies and procedures in the last two years?

Keeping up to date without any other significant changes to your practice may not trigger a Privacy Impact Assessment amendment. Make sure that you document your careful review so that you are prepared for your next Privacy Impact Assessment submission.

Important Business Decisions

Creating and reviewing your PIA regularly can help you to spot errors or gaps between the way that you do the work in the clinic and the way that you said that you were going to implement in your clinic.

The questions that we ask during the PIA process are important. The time that you take now to identify the potential risks and prevent those incidents from happening may save you time, money, reputation and even jail time in the future.

You Know Your Practice Better Than Anyone Else

When you have a coach to guide you through the PIA amendment process, provide you with templates, and give you feedback on your work in regular live training webinars, join me in the on-line step-by-step course, Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments.

Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments

Find out more here: Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments or send me an email.

Practice Management Nuggets Podcast

This topic is included in our Practice Management Nuggets podcast! Be sure to tune in to the podcast episode

When Do You Need a PIA Amendment? | Episode #078

Listen to the Podcast
#PrivacyImpactAssessment, #ProtectYourPractice, Alberta, clinic, health care, Health Information Act, healthcare, HIA, how to do a pia, medical, Netcare, PIA, Privacy Impact Assessment, privacy impact assessment amendment, training

How To Capture Patient Satisfaction With CareSay

Posted on July 2, 2019 by Jean Eaton in Blog

‘This call may be recorded to ensure quality control.’

We’ve all heard the recorded message when we call our bank or service provider .

But, is this the best way to capture patient satisfaction with their healthcare visit experience?

Are you looking for options to capture patient satisfaction with their interactions with your office staff during phone calls and their entire visit?

There are other options that require less technology, easier to implement, respects privacy, provides a more meaning constructive, helpful, feedback for your clinic team and engages your patients to improve their satisfaction.

I reached out to Brian Lee from Custom Learning Systems about his suggestions on how to explore patient satisfaction.

Brian Lee is my guest expert on Practice Management Nuggets Podcast for Your Healthcare Practice. Brian Lee is one of North America’s leading experts in the field of World-Class patient experience, staff engagement and culture change.

In this 16 minute episode, Brian Lee, shares options for the healthcare provider and business owner to easily capture and measure the patient's experience and give them an opportunity for feedback so that you can improve patient satisfaction and patient care in your healthcare practice.

 

Brian Shares His Key Tips Including

  • Options to create a patient experience survey (including CGCAPS).
  • New tools that empowers the patient to provide clinics with feedback about their experience.
New tools empowers the patient to provide clinics with feedback about their experience.Click to Tweet

My Favorite Takeaways From The Podcast

  1. Ensure that we do constructive, positive education with our caregivers.
  2. Measure the patient's experience.
  3. Empower the patient to provide the clinic and the caregivers with feedback.

Be sure to tune in to my interview with Brian Lee on How To Capture Patient Satisfaction With CareSay | Episode #077

Then, click here to get the free CareSay Review app: the unique new app to help you Connecting service providers and patients in a whole new way!

If you are a member of Practice Management Success, login here and view the webinar replay.

#digitalhealth, #PatientCenteredClinic, #PatientEngagement, #PracticeManagementNuggets, Brian Lee, CareSay, CGCAP, clinic, Everyone's a Caregiver, healthcare, medical, patient centered clinic, patient satisfaction, podcast, review

Fax Received in Error – Is this a Notifiable Privacy Breach?|

Posted on March 28, 2019 by Jean Eaton in Blog

Has this ever happened to you?

You are a clinic manager in a healthcare practice. One day, you receive a phone from a healthcare provider in another clinic.

They have received a fax with patients’ health information from someone in your clinic. But the fax is not addressed to them – they received it in error.

Is this a mandatory notifiable privacy breach under Alberta’s new Health Information Act (HIA) regulations?

Part A: Circumstances Where Notification Is Required

There are 5 triggers under the Alberta Health Information Act (HIA) that require mandatory privacy breach notification to the Office of the Information and Privacy Commissioner (OIPC) and the Alberta Minister of Health and the individual(s) affected in the breach.

In this scenario, the  receiving custodian accessed health information for an individual who was not his patient. Clearly, there is a reasonable basis to believe that the information has been accessed (read) by a person (section 8.1(1)(a) of the Health Information Regulation.)

However, the sending custodian had no reason to believe that the information would be misused.

Fax Sending Receiving Error

Part B: Circumstances Where Notification Is Not Required

 The sending custodian assessed the circumstances of the breach and concluded (as per section 8.1(1)(i) of the Health Information Regulation) that the receiving custodian:

  • Accessed the health information in a manner consistent with his role as a health services provider and did not do it for an improper purpose.
  • Is subject to confidentiality policies and procedures that meet the requirements of section 60 of the Act.
  • Did not use or disclose the information beyond determining that he received it in error.

The sending custodian assessed that the risk is appropriately mitigated and this privacy breach incident did not trigger mandatory notification requirements. 

Next Steps

The sending custodian must record the privacy breach in their business records. (I suggest that you use an internal privacy breach reporting form and spreadsheet. You can access these templates in the 4 Step Response Plan.) Remember to include your determination that you do not need to report this breach and the reasons that support your decision.

We know that faxes are a frequent source of privacy breach incidents. What can you do in your practice to reduce the risk of faxes in error?

Practice Management Nuggets Podcast

This topic is included in our Practice Management Nuggets podcast! Be sure to tune in to the podcast episode Fax Received in Error – Is this a Notifiable Privacy Breach? | Episode #067 .

Listen to the Podcast

My Favorite Takeaways From the Podcast

  1. Understand the mandatory privacy breach notification triggers and the circumstances where notification is not required.
  2. Record your privacy breaches – even the ones that do not trigger mandatory privacy breach notification.
  3. Review and improve your fax procedures. We know that this continues to be a frequent source of breaches. What can you do to better manage this known risk?

If you are a member of Practice Management Success, login here and view the webinar replay.

#PracticeManagementNuggets, clinic, fax, healthfare, mandatory privacy breach notification, medical, podcast, privacy breach

Curiosity Is NOT Need-To-Know

Posted on February 18, 2019 by Jean Eaton in Blog

I am often asked if it is ‘OK’ to look up patients information on Netcare when the patient hasn’t been seen for some time and the care provider wants to know how they are doing.

Let me be clear: If you are not currently providing a health service to the patient in a current episode of care, you must not look up that patient’s information on Netcare or any other EMR or paper system.

The patient has a right to privacy – which means don’t look unless you have a need to know.

Curiosity is not a legitimate need to know. That is snooping!

You Can Use This Privacy Breach Example to Review and Improve Your Practices

Pro-active Auditing Reveals Snooping in Sask eHealth

What Happened

On April 6, 2018, a highway collision occurred involving the hockey team Humboldt Broncos which left 16 dead and 13 injured.

The trustee of the Saskatchewan Electronic Health Record Viewer, eHealth, pro-actively audited their electronic health record system to identify potential unauthorized use of the system by authorized users.

eHealth detected that two physicians and an administrator at the Humboldt Clinic Limited inappropriately accessed the personal health information of two individuals involved in a collision involving the Humboldt Broncos.

The auditing revealed that there were many instances where access was made between April 7 and April 10 to the records of two patients. The records belonged to two individuals who died in the crash on April 6.

The physicians had provided care to the individuals in January of 2018 but were not involved in providing care to them on or about April 6. The physicians’ access was prompted because of their ‘concern’ for the individuals.

[click_to_tweet tweet=”Curiosity is NOT need-to-know! The patient has a right to privacy – which means don’t look unless you have a need to know to provide a current health service to the patient. @InfomanLtd #PrivacyBreach #Privacy #PrivacyBreachNugget” quote=”Curiosity is NOT need-to-know! “]

Clearly, these users of the Viewer were not currently providing care and treatment to the patients.

The access of the Viewer in this example not a legitimate need-to-know under Saskatchewan’s The Health Information Protection Act (HIPA).

eHealth reported these privacy breaches to the Information and Privacy Commissioner (IPC) of Saskatchewan.

4 Step Response Plan

The trustee, eHealth, undertook the first step to respond to a privacy breach by spotting and stopping the breach. The audit identified the breach. Then eHealth contained the breach by suspending or terminating access to the Viewer.

Secondly, eHealth appropriately notified the individuals’ next of kin of the privacy breach.

The third step is to investigate the breach. eHealth notified the IPC of the breach. The clinic, however, did not investigate the cause of the privacy beach.

Preventing a similar breach is the fourth step. The clinic has privacy policies and a privacy training strategy. The eHealth Viewer also has online training for its users.

IPC Recommendations

Subsequent to its investigation, the Saskatchewan IPC observed that the training had not prevented this breach.

The IPA recommended that the clinic provide further training to its employees and contractors on the need-to-know principle. Additionally, the clinic is recommended to document the privacy breaches and the lessons learned to prevent a similar privacy breach.

Reference: Saskatchewan IPC Investigation Report 177-2018, January 29, 2019

Privacy Breach Nuggets You Need to Know

There are many privacy breaches in the news each day. The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain.

Privacy education is more than just having policies and procedures. Demonstrating good practices, regular discussion about examples, and even gamification helps to ensure that all members of your healthcare team understand their roles and responsibilities.

If you need to start or update your privacy breach management program, check out the 4 Step Response Plan; Prevent Privacy Breach Pain.

“When we know better, we can do better”

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

#digitalhealth, clinic, healthcare, HIPA, Humboldt, medical, privacy breach, privacy breach nugget
12

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

The Data Privacy Day E-Course was very helpful and it made you think more seriously. I actually made some changes to my computer along way.

- Danielle

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2019 Information Managers Ltd.