Do You Know Where Your Policies And Procedures Are?

Do You Know Where Your Policies And Procedures Are?

Do You Know Where Your Policies and Procedures Are?

This is a cautionary tale.

And it could save you a lot of embarrassment – even legal issues.

The way a healthcare provider collects, uses and discloses personal health information (PHI) is critical to an efficient healthcare practice.

It’s also required by legislation and professional college regulations and standards.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.


Don’t let this happen to you!

Everyone in a healthcare practice — including front office staff, wellness practitioners and physicians and other custodians — must be aware of and follow these policies and procedures.

These policies and procedures also become the foundation of your privacy impact assessment (PIA).

That’s why, in this Privacy Breach Nugget, we’ll review a privacy breach investigation report from Alberta’s Office of the Information and Privacy Commissioner (OIPC). Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

This report started with an employee suspected of accessing health information for an unauthorized purpose.

It started with at the clinic with a conflict between the employees and the employer.

An employee (Employee A) was on leave from her position at the clinic. Her access to the electronic medical record (EMR) was suspended during her leave.

Employee A wanted to access patient information to support her dispute with management. Over two months, Employee A used Employee B’s credentials to access patient records.

This action is in contravention of the Health Information Act (HIA) sections 27 and 28.

This is where this case becomes even more convoluted and, in fact, a better case study of what not to do.

Employee Dispute

Understanding the Health Information Act

The Health Information Act (HIA) requires the custodian (the physician, in this case) to take reasonable steps to maintain administrative, technical, and physical safeguards to protect patient privacy as required by sections 60 and 63 of the HIA, and section 8 of the Health Information Regulation.

In November 2013, the clinic submitted a privacy impact assessment (PIA) to the OIPC prior to its implementation of an electronic medical record (EMR).

The PIA included written policies and procedures.

The letter to the OIPC accompanying the PIA was signed by two physicians, as well as Employee A who was the privacy officer at that time.

The physician named in the investigative report is not the current custodian at the clinic. The physician was hired in 2015 and therefore not a member of the clinic in 2013 and not involved in the initial PIA submission.

During the investigation, both employees indicated that the policies and procedures to protect patient privacy were in a binder in the clinic, but it was never used or shared with the staff.

Oaths of confidentiality may have been previously signed by the employees, but the documents could not be produced during the investigation.

Section 8 (6) of the Regulation states the ‘custodian must ensure its affiliates are aware of and adhere to all of the custodians administrative, technical, and physical safeguards in respect of health information.’

It’s common practice for clinics to require employees to sign confidentiality agreements and ensure that they receive patient privacy awareness training with regular updates.

But in this investigation, the employees said they never received privacy awareness training.


Access To Patient Information

The employees also stated it was common practice at this clinic for individuals to not log off of their EMR account on the computers at the reception desks. It was common practice for other employees to access an open session to quickly perform a task in the EMR.

The investigator concluded that the physician was in contravention of the HIA section 63(1) which requires custodians to establish or adopt policies and procedures that would facilitate the implementation of the Act and regulations.

These specific findings were made:

  • The custodian failed to ensure the clinic employees were made aware of and adhered to the safeguards put in place to protect health information in contradiction contravention of section 8(6) of the regulation.
  • The custodian was in contravention of section 8(6) of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to all of the custodian’s administrative, technical, and physical safeguards with respect to health information. It’s important to note any collection use or disclosure of health information by an affiliate of a custodian is considered to be the collection, use, and disclosure by the custodian.
  • The custodian failed to ensure the employee and the other clinic staff adhered to technical safeguards as required by section 60 of the HIA and section 8(6) of the regulations.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Get Your Privacy Documents In Order

To protect yourself and your practice from patient privacy breaches (and massive fines, see the conclusion to this article), follow these steps.

  1. Find your policies and procedures and review them with all staff and custodians. Make sure you document that this has been done.
  2. Review and update your privacy awareness training and ensure all staff, including custodians, have completed this recently. Make sure you have this documented, including certificates of attendance if available.
  3. Oath of confidentiality documents should be signed by all of all clinic staff and custodians and maintained in a secure location.
  4. Review your privacy impact assessment and ensure all of your current custodians have read this and understand it. Visit this post for more information to help you determine if you need a PIA amendment.


This incident occurred in 2016. The OIPC office did not recommend any additional sanctions against the clinic, physicians, or employees.

To get templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership

New Amendments To The HIA

This case might have turned out differently today.

New amendments, as of 2018, provide a provision for fines under the HIA ranging from $2,000 to $200,000.

The public — and our patients — expect and trust us to make sure that their personal health information is kept secure and confidential.

It’s our responsibility to make sure we have these administrative, technical, and physical safeguards in place and are maintained in a consistent fashion.

When you’ve done the hard work to implement your patient privacy policies and procedures and your privacy impact assessment, make sure you continue your journey and keep these documents up-to-date and current. To help you, sign up for the Practice Management Success Membership.

There are many patient privacy breaches in the news each day, and you never know when it could happen to you.

The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain. If you need to prepare your privacy breach management plan, start your on-line training 4-Step Response Plan right away!

If you need templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership. These tips, tools, templates, and training will help you save time and money to develop and maintain policies and procedures in your healthcare practice.


When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget’ to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach



References and Resources

Alberta Office of the Information and Privacy Commissioner. Investigation Report H2019-IR-01 Investigation into alleged unauthorized accesses and disclosures of health information at Consort and District Medical Society Clinic. May 21, 2019.

When Do You Need a PIA Amendment?

When Do You Need a PIA Amendment?

A Privacy Impact Assessment Is Good For Business

A privacy impact assessment (PIA) is part of a regular business process if you collect, use, or disclose personal health information in your healthcare practice. When you have a previous PIA that has been prepared, submitted to the Office of the Information and Privacy Commissioner (OIPC) and it has been accepted for use–well, that is not the end of your PIA journey.

You need to ensure that you are updating and amending your PIA as your practice matures and as you make administrative and technical changes to the procedures in your practice.

You need a PIA Amendment when you have a previously accepted PIA and any one of these common triggers below.

You Have a PIA That Was Written More Than 2 Years Ago

It is time to review and update this!

Under Section 8(3) of Alberta’s Health Information Regulation, custodians must periodically review the safeguards they have in place to protect health information privacy. This means that custodians need to regularly review the privacy risk mitigation plans set out in PIAs to ensure they continue to protect against reasonably foreseeable risks to the privacy of health information. The submission of your PIA to the Office of the Information and Privacy Commissioner (OIPC) is mandatory and must precede implementation of your new system or practice.

Change in Health Information Act (HIA) Legislation and Regulations

The HIA has undergone significant amendments in 2006, 2010, most recently in August 2018. Make sure that you have updated your privacy breach management program and include mandatory privacy breach notification to the (OIPC) and the Minister of Health (MOH). Again, ensure that your team training has been updated so that they know how to spot, stop, and report a privacy breach. (See Mandatory Privacy Breach Notification)

Changes In Your Electronic Medical Record or Computer Network

You have the same EMR database, but maybe the configuration has changed. For example, a change from a local to an application service provider (ASP) or cloud-based data centre or Software as a Service (SAS) model would trigger a PIA amendment.

Another trigger is a change in your computer network vendor or changes in wireless networking, remote access, or implementing mobile devices.

PIA amendment EMR computer network

Change in Participating Physicians / Privacy Officer

Since your original PIA, you may have new custodians, including physicians, registered nurses, chiropractors, and other health professionals named in the HIA that have joined or left your practice. Your Privacy Officer may have changed, too. Your amendment should include an up-to-date listing of custodians and privacy officers.

New Users / Information Sharing

There have been many recent information sharing initiatives in healthcare. You might now plan to participate in evaluation projects, patient panel management, or other community initiatives. Make sure that you have your PIA amendment and information manager agreements completed, too. (See – The Top 3 Agreements Your Healthcare Practice MUST Have (and Why).

A quick word of caution: if your new information sharing project includes data matching–the creation of new information by combining two or more sets of data—requires custodians to prepare a privacy impact assessment before performing data matching involving health information (HIA sections 70, 71). The custodian that carries out the data matching is responsible for preparing the Privacy Impact Assessment.

PIA amendment new users

Communicating With Patients

If you are adding new technology to keep in touch with patients for appointment reminders, on-line appointment booking, secure email or patient portals, these will trigger a PIA amendment or, perhaps, a project specific PIA. Make sure that your policies and procedures are up to date, too. (See – Can You Use Text Message With Your Patients? )

PIA Amendment Communicating with patients

Alberta Netcare Portal (ANP) / Community Integration Initiative (CII) / CPAR

ANP updated their PIA in 2016 and, therefore, you need to make sure that your corresponding policies and procedures and training have been updated, too. Remember – when you agreed to participate in ANP, you promised that you would review your threat risk analysis (TRA) and update your Provincial Organization Readiness Assessment (p-ORA) when changes occur and at least every two years.

Prior to applying for the Alberta  CII / CPAR Grant, your practice must have a privacy impact assessment that reflects the current clinic environment.

Maturing Practice

You have learned and grown since your original Privacy Impact Assessment submission. Have you implemented everything that you said that you would? Can you demonstrate that your teams have received privacy and security awareness training? Have you reviewed your Health Information Management Privacy and Security policies and procedures in the last two years?

Keeping up to date without any other significant changes to your practice may not trigger a Privacy Impact Assessment amendment. Make sure that you document your careful review so that you are prepared for your next Privacy Impact Assessment submission.

Important Business Decisions

Creating and reviewing your PIA regularly can help you to spot errors or gaps between the way that you do the work in the clinic and the way that you said that you were going to implement in your clinic.

The questions that we ask during the PIA process are important. The time that you take now to identify the potential risks and prevent those incidents from happening may save you time, money, reputation and even jail time in the future.


3 Options to Help you Create your Privacy Impact Assessment

DIY – Do It Yourself – The Privacy Impact Assessment course, Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments – A Complete Step-by-Step Course, Includes PIA templates, training sessions live and the replays, and access to me to ask your questions and receive feedback to help you get un-stuck.

DFY – Done For You – I prepare your Health Information Management Privacy and Security Manual policies and procedures and your Privacy Impact Assessment. You receive both paper and electronic copies of all the documents.

DWY – Done With You – a hybrid solution, you register for the on-line course and do the information gathering and preparation of your Privacy Impact Assessment submission with coaching from me in the course. I will also assist you to prepare the customized privacy and security policies and procedures, and resources as needed at an hourly consulting rate.

Find out more here: Privacy Impact Assessments or send me an email.

Small Business Tech Day

Small Business Tech Day

Click on the >> Arrow above and watch the short (5 min) video to watch my 6 steps to help you right away!

The Privacy Playbook: 6 Steps to Small Business Privacy Compliance

I’m Jean L. Eaton, your Practical Privacy Coach and Practice Management Mentor. I help healthcare providers and clinic managers implement privacy best practices, like pulling together the right forms and paperwork to use with their employees and patients and implementing privacy best practices.

Whether it’s improving privacy workflow, understanding the impact of breaches, working with privacy legislation, privacy impact assessments, or mentoring privacy practices among staff, I make privacy in healthcare simple and straightforward.

I have found that when small business use these 6 steps to small business privacy compliance:

  • your privacy management program operates smoothly every month
  • you avoid nasty privacy and security incidents
  • your business operates more efficiently

When you focus on proper privacy and security practices, compliance falls into place.

Information Managers Is Proud to be an Official Partner of the Small Business Tech Day.

To access more replays recorded on November 16, 2023, 

Register here! It’s FREE!


How To Use Current Technology To Maximize Productivity And Profits In Your Business While Staying Protected And Secure

Small businesses must be nimble to prevent cybersecurity crime and continue to boost profitability and productivity. Technology automation and AI can help–when you implement wisely.

We can help you with that!

This Free Online Event Features Speakers Shark Tank’s Robert Herjavec, Co-Founder Of Siri Adam Cheyer And Best-Selling Author And Entrepreneur Extraordinaire Mike Michalowicz.

Solid Technology Solutions has been named as the official host of Edmonton Small Business Tech Day happening on November 16th.

This online event is designed to help small businesses navigate the future of technology, especially with the recent emergence of AI.

We’ll ensure you are equipped with the best advice from these world-renowned experts when it comes to changes in your day-to-day business.

Featuring well-known business leaders, tech experts and leading minds showing small businesses how to compete and succeed in many aspects of their business with a concentration on utilizing technology to be productive, profitable, and protected.

Learn how to maximize productivity, profits, and security in your business!

Discover cutting-edge technologies in these presentations that can streamline your business operations, saving you time and increasing overall efficiency.

“A Shark’s-Eye View Of The Future Of Small Business Tech” with Robert Herjavec

Shark Tank Celebrity Robert Herjavec will discuss the distinct differences between businesses losing money and those that are becoming more profitable and growing.

“New Business Protections You Need In Place NOW To Safeguard Your Assets” with Grant Dakin

Roughly 61% of all SMBs were the target of at least one cyber-attack in the past few years, which can equal hundreds of thousands of dollars in lost revenue. It’s no longer a question of IF you’ll get hacked, but WHEN. Millions of organizations are being held hostage by cybercriminals and hackers. During this session, you’ll get actionable steps to take to proactively protect your business from lost profits and irreparable reputational damage.

“The Good, The Bad, And The Ugly Of AI In Small Business” with Adam Cheyer

Your business needs to be prepared for current programs and technology and what’s on track to possibly disrupt it further.

“How To Get Your Business To Run On Its Own” with Mike Michalowicz

You can have the freedom to take a vacation or some well-deserved time off.

“The Privacy Playbook: 6 Steps to Small Business Privacy Compliance” with Jean L. Eaton

When you focus on proper privacy and security practices, compliance falls into place. Grab my 6 steps to help you right away.

Solid Technology Solutions is Your Proud Host

Solid Technology Solutions helps small businesses equip themselves with the best technology and practices available today to increase productivity and profitability and protect them against online threats.

Get your no-cost invitation!

Information Managers Is Proud to be an Official Partner of the Small Business Tech Day

Information Managers Partner image

No matter what happens with the economy, there are strategies you can use to keep growing profitably while keeping your business secure.

Today you can get these strategies when you join us at

Think Like a Hacker: Safeguarding Your Business in the Digital Age

Think Like a Hacker: Safeguarding Your Business in the Digital Age

I’m tickled pink to be a member of the discussion panel at

‘Think Like a Hacker: Safeguarding Your Business in the Digital Age’

Cyber Crime is Climbing in Healthcare

The rise of cybercrime in healthcare is alarming.

“The Healthcare vertical is highly targeted by ransomware gangs, which results in both the loss of use of their systems—potentially with life-threatening consequences—as well as data breaches.” 

Verizon 2023 Data Breach Investigations Report (DBIR)

Accurate Networks and Armour Insurance Help You To Prevent Cyber Crime

‘Think Like a Hacker: Safeguarding Your Business in the Digital Age’ event is sponsored by Accurate Network Services and Armour Insurance.

Cybercrime, hacking, and privacy breaches are the biggest risks facing any organization today. Regardless of your size or industry—you are a target.

Think Like a Hacker to Protect Your Practice

Constable Jon Cook, an RCMP Cybercrimes Investigator, will share his experience from the front lines of this new frontier of cybercrime. Find out how hackers use social engineering and other common hacking methods that threaten your practice. Use these examples to identify potential weak spots and risk in your healthcare practice.

Safeguard Personal Health Information and Your Business

Join us for an interactive Q&A session with industry experts in Medical, Privacy, Insurance, IT, and Law Enforcement. We will answer your questions and offer you practical advice on how to protect against cyber risks.

I’ll be there to discuss privacy compliance and safeguards that you can take to prevent hackers in your medical or dental practice.

Stay and mingle with other attendees while enjoying complimentary appetizers and drinks at the historic Bell in Scona.

Don’t wait until it’s too late!

Join me at ‘Think Like a Hacker: Safeguarding Your Business in the Digital Age’ on Sept 27, 2023, in Edmonton.

Let’s tackle cyber threats in healthcare together!

#CyberSecurity #Healthcare

Get your no-cost invitation!

Do You Use Employee Privacy and Security Policy and Procedure Checklist Templates?

Do You Use Employee Privacy and Security Policy and Procedure Checklist Templates?

Why Do You Need Policy and Procedure Checklists for Onboarding and Exiting Employees?

There is much excitement when we welcome a new hire to our team and there are many administrative tasks that need to take place to get this individual up and running. An employee policy and procedure checklist will help!

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed to protect patient privacy as required by our professional colleges and privacy legislation. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

To ensure that onboarding a new employee is a smooth transition, it is imperative to follow a practical checklist procedure to make sure no important steps are missed. There are also many other managerial benefits to adopting this high-quality process:

  • Better job performance and satisfaction
  • Greater commitment to protecting privacy in the organization
  • Reduced stress and better staff retention

Employee Privacy and Security Policy and Procedure Checklist

Policies and procedures are reasonable safeguards to protect the personal and health information entrusted to us. But polices and good intentions alone are not enough; we also need to take action to ensure our policies are understood and are being followed by all our employees.

Training new and existing staff on privacy and security best practices is instrumental in making your healthcare practice a success and maintaining its fine reputation. Following a systematic approach to welcoming a new employee, transitioning an existing employee into a new position, or offboarding an employee who is exiting will guarantee that valuable privacy and security training and accesses are completed.

Read this Privacy Breach Nugget that explains what can happen if you don’t have these good practices in place. Do You Know Where Your Policies And Procedures Are? 

New Employee Orientation / Onboarding

New employees are a welcome addition to any team and there is a vast amount of training that needs to take place from general procedures on how to handle phone calls to signing confidentiality oaths to becoming familiar with all policies and procedures, in addition to learning the everyday job duties for their own position.

Since privacy is good for business, we do not want to miss any important opportunities to train our new staff on privacy and security best practices. Using the Employee Privacy and Security Checklist will help facilitate training discussions and document the authorized accesses of each employee.

Existing Employees / Annual Review

The checklist will also act as a tool for each employee at their performance review. Provide positive feedback and observations of an employee’s successes in protecting personal information. Discuss opportunities for improvement, too. This is also a good time to review an employee’s current authorized role-based accesses and determine if any changes are needed to match the employee’s current job duties.

Ensure that the employee still has ‘tokens’ that they were given at the time of their hire, like identity badge, keys to the clinic or Alberta Netcare RSA fob.

Privacy and security best practices dictate that confidentiality oaths should be signed on an annual basis and annual privacy awareness and security refresher training should also be provided to all employees. In the event of a privacy incident or breach, it is imperative that a healthcare practice can prove by their documentation that regular privacy and security training is provided to their staff.

Transferring / Exiting Employees

When an employee transitions into a new role or is terminated, review and update the privacy and security checklist to ensure that access and permissions are appropriately modified or terminated.

Custodian Responsibility

Custodians have an obligation to ensure reasonable safeguards to protect the privacy and security of health information. This includes having appropriate policies and procedures in place, as well as demonstrating and documenting that you have implemented your plans. This is a requirement of professional college standards of practice and privacy legislation like the Health Information Act (HIA).

See the article Do You Know Where Your Policies And Procedures Are? to learn what can happen to you if you don’t have your employee training process well documented

The Employee Privacy and Security Checklist will make it easy for you to ensure your new hires, existing employees, and transferring or exiting employees are privacy and security compliant.



Your practice also needs to have policies and procedures that set out how you ensure the privacy, confidentiality, and security of the health information you collect, use, and disclose. Don’t know which policies and procedures you need? Download the Privacy and Security Policies and Procedures Checklist below!


Practice Management Success

If you are a member of Practice Management Success, login and access the webinar replay, and the policy, procedure, and checklist template.

Not a member? Join today!


When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security expecially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach