How Long Does It Take to Do a PIA?

Posted on December 3, 2021 by Jean Eaton in Blog

Click the >> arrow above to play the video.

I’m opening my practice next month.

I just learned that I need to complete a Privacy Impact Assessment.

What do I do now?

Unfortunately, I hear this question far too often!

Here’s What You Need to Know About the Timelines Required to Complete a Privacy Impact Assessment

In the perfect world, you will start your PIA process about 6 months before you plan to open your practice.

You will start with developing the privacy and security policies and procedures.

Next, you will discuss with the EMR vendors, computer IT support vendors, and other stakeholders about your operational needs and ensure that the vendors can meet PIA requirements.

At this point, about 4 months before Go Live, you will start writing your Privacy Impact Assessment documents.

You will review and accept the Privacy Impact Assessment internally to your organization and ensure that each of the custodians have reviewed, understood, and accepted the Privacy Impact Assessment.

Then, you will submit the Privacy Impact Assessment to the Office of the Information and Privacy Commissioner (OIPC) about 3 months before your go-live date.

Start With Privacy and Security Policies and Procedures

If you are planning to open your healthcare practice soon or planning to implement a new project in your existing clinic, your first step is to review (or create) your privacy and security policies and procedures..

Templates make it easier to complete your policies and procedures. Make this fast and easy with our templates!

Guidance for Electronic Health Record Systems

To help you with your discussion of PIA requirements with your vendors, the OIPC has produced a document, “Guidance for Electronic Health Record Systems“.

This guide was developed to assess the safeguards in electronic health record (EHR) systems. Custodians and their EHR service providers may use this document to support a Privacy Impact Assessment on an EHR system, or to examine whether changes to a system comply with Health Information Act requirements. Published in June 2016.

This is intended to assist you to have a discussion with your vendors. The guidelines are not part of the PIA submission. The Guideline will help you to ask good questions with your vendors so that you can get good answers. You will include the answers to the questions in your PIA submission.

If you are currently looking for a vendor for your EMR, practice management system, computer network system or, perhaps, your billing system, these are the questions that you need to discuss with your vendor. Their answers will help to inform you and assist you in selecting good vendors for your practice.

If You Are a Vendor That Supports Healthcare Practices

If you are a vendor that supports healthcare practices, I encourage you to download the document, Guidance for Electronic Health Record Systems, and complete it from the perspective of your product or service even if your product isn't an EHR. Then, you can share the completed document with your prospective clients and custodians as a demonstration of your privacy and security practices and support your clients with their PIA submission.

Don't Wait!

If you haven’t done your PIA yet, you definitely need to get this completed. You need to have your policies and procedures completed and your PIA submitted to the OIPC for their review and acceptance before you open your new practice.

Want more content like this?

For more information about Privacy Impact Assessments, see

Click Here to Get More About PIA's

health care, healthcare, medical, plan a PIA, Privacy Impact Assessment, timeline

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

Posted on April 7, 2021 by Jean Eaton in Blog

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

You are working at the reception desk of a healthcare practice. Suddenly, there is a police officer giving you a court order! Do you know how to prepare patient records for a court order?

Don’t Panic!

In this month’s Q&A with Jean, we discussed how to prepare patient records for a court order with confidence!

Now, just a reminder, I’m not a lawyer and I don’t play one on TV. These are my recommendations based on my experiences – as a director of health records in hospitals in Canada, as a court reporter, and as a mentor to clinic managers in independent healthcare practices – and this is not legal advice.

Follow These Steps

In this article, I am not discussing a situation which relates to a life-threatening situation that requires an immediate response. I am also not discussing when the order relates to the type or quality of healthcare provided to the patient or when the actions of the healthcare provider or clinic is being challenged or reviewed. These are topics for a different article.

Your reception staff should not accept the court order but, instead, immediately ask the officer to wait for a few minutes so that they can request their supervisor or privacy officer meet with them.

When the court order is an administrative request for information, the supervisor or privacy officer will accept the court order from the officer. Before the officer leaves, make sure that you read the court order carefully and ensure:

Who is named in the court order.
- This is often the clinic manager of the clinic. Your clinic should be specifically named or, perhaps, the name of your lead physician or healthcare provider.
Record the date and time that you received the order.
Clarify when the response is required.
Name and contact information.
- This could be of the officer that delivered the court order (if possible).
- At minimum, it should include the contact information of the court, for example, the court clerk’s office or the witness co-ordinator, or the sheriff’s office.
The province or jurisdiction of the court.
In general, this should be the same province where your clinic operates. If not, contact your lawyer for advice on how to respond.

Review Your Policies and Procedures

This is not a routine request from a patient to access their health records or a request to disclose their records to a third party like a lawyer or insurance company. In those routine requests, patients are generally required to provide a written, signed consent before you can disclose their records.

When you receive a court order or subpoena to produce patient records at a court or other legal proceeding, you are not required to get a signed consent from the patient.

Each healthcare practice should have detailed policies and procedures on how to prepare patient records for a court order. Review these now.

If you don’t have up-to-date policies and procedures, see the Practice Management Success Tip, How to Prepare Patient Records for a Court Order.

Validate the Court Order

Read the court order carefully. In particular,

Phone the contact number on the court order.
Confirm the date, time, and location that you are required to appear.

Locate the Patient Record

Find the patient information maintained in an electronic database, electronic medical record (EMR) and/or paper records. Remember to look for both active and inactive patient records as needed by the court order.

Read the patient record carefully, line by line, to ensure that the record is complete. For example, make sure that all lab reports, prescriptions, consultation notes, etc. are included in the record.

Secure the record to prevent snooping or modification to the record. Also ensure that the record is available for continuing care and treatment of the patient, if needed.

In an electronic record, prepare an audit log of all the transactions on that patients’ chart.

Ensure there is no duplicate or second chart for the patient that may have been created in error. Search by alternate names, spellings, date of birth, etc.

Ensure that each custodian included in the patients’ care and your healthcare practice’s privacy officer is informed of the court order to produce the record. The custodian should be provided an opportunity to review their clinic notes. Remind the custodian that they cannot further disclose the patient's record.

Prepare the Patient Record

Review the court order and identify exactly what information is requested. It might be for specific dates or a condition or treatment.

Keep complete and detailed notes about how you prepared your response to the court order. You will bring your notes with you to court to assist you in your testimony about how your clinic creates and maintains patient records and what you did to respond to the court order. After your court appearance, you will maintain your notes as part of the business records for the clinic.

Collect the information and record each of your steps and your results, including the records that you searched for as well as those that you did not find any results for.

If you maintain your patient records in an electronic medical record (EMR) or digital practice management software, print out a hard copy of all the information that responds to the information that is requested.

Sever (also known as redact or black-line) any information that is not appropriate to include in the disclosure. Cross-reference each redacted entry to the legal authority not to include the information in the disclosure.

If you are using an EMR, organize the paper print-out in a format that makes sense. This might be in chronological date order, or by grouping like records (clinic notes, lab results, etc.) together.

Create a ‘Table of Contents’ of the information in the patient record. This will help you in your testimony to quickly find requested information, and to help the court to locate information in the records that you have prepared.

At the same time, handwrite in ink at the bottom of each page the sequential page number in the package. Update the table of contents with the page numbers.

Stamp ‘COPY’ on each page.

When the package is complete, make a photocopy (or two) of the entire package. The ‘original’ paper copy will be maintained at the clinic. Bring the original and the copy to court and ask the court to accept your copy. Return the original package to the clinic and securely maintain this as part of the business records of the clinic until the court file is complete.

When You Attend At Court

As the clinic manager, your role at the court is to tell the court how patient information is collected and maintained in your healthcare practice. Your job is not to interpret the content of the clinic notes.

A few days prior to the court date indicated on the court order, phone the clerk’s office or witness support office to confirm the date, time, and location of the proceedings and if you are still required to attend.

On the day of the proceedings, report to the clerk of the court.

Bring with you the court order, your photo ID, the patient record, and your notes. Bring a good book to read in case you have a long wait.

You will be advised (again) if you are required that day. If you are not required, the clerk will make a notation on your court order to appear that you attended and that you have been dismissed. Keep this in your business records with the patient record.

If your testimony and the patient records are required, you will be called as a witness during the court proceeding.

You will be asked to swear or affirm an oath to speak honestly during your testimony.

Typical questions that you should be prepared to answer include:

Your name.
Your role at the clinic, how long you have been in that role, your routine tasks and responsibilities at the clinic.
Describe how patient records are maintained. Be prepared to explain your EMR or computer patient management system (if you have one).
Bring your notes about the steps that took to prepare for the court order. You may ask permission of the court to refer to your notes that you created when preparing to respond to the court order during your testimony, if necessary.
Explain that the patient records are kept electronically and that you have prepared a paper print-out of those notes.
Be prepared to explain how you know that the records are complete, not missing any details, etc.
If the court asks you to enter the records into evidence, explain that you have an ‘original’ and a ‘copy’ and ask the court to accept the ‘copy’ into evidence.

When You Return to the Clinic

Complete your notes by documenting your day at the court. Write a short summary of your day including:

Did you give a copy of the patient records to the court? To whom?
Remember to add this notation to the patients’ record that you disclosed this information according to the court order.
Any follow-up required for this disclosure?
Review your procedures. Anything that you would edit or provide additional instructions that will help you to be better prepared for next time you receive a court order?
Submit a copy of your out of pocket expenses (parking receipts, meals, etc.) for re-imbursement by your employer, if applicable.

What You Should Do Now

Review your policies and procedures now to ensure that it includes how to respond to a court order.
Train your reception staff on what to do if they receive a court order.
Train your privacy officer and clinic manager on how to prepare a patient record for a court order.

Depending on where you work, you may receive a court order regularly or it might be a once-in-a-career experience. When you have policies and procedures and a little bit of training to assist you, you can respond to a court order calmly and confidently.

If you are a member of Practice Management Success, login and access the ’Procedure: Preparing Patient Records for a Court Order’ template and the replay of the tutorial video.

Download Practice Management Success Tip - Preparing Patient Records for a Court Order Now!

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

court order patient records, health care, health records, healthcare, medical, Practice Management Success, subpoena to produce patient records, template procedure

Do You Use Employee Privacy and Security Policy and Procedure Checklist Templates?

Posted on December 21, 2020 by Jean Eaton in Blog

Why Do You Need Policy and Procedure Checklists for Onboarding and Exiting Employees?

There is much excitement when we welcome a new hire to our team and there are many administrative tasks that need to take place to get this individual up and running. An employee policy and procedure checklist will help!

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed to protect patient privacy as required by our professional colleges and privacy legislation. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

To ensure that onboarding a new employee is a smooth transition, it is imperative to follow a practical checklist procedure to make sure no important steps are missed. There are also many other managerial benefits to adopting this high-quality process:

Better job performance and satisfaction
Greater commitment to protecting privacy in the organization
Reduced stress and better staff retention

Employee Privacy and Security Policy and Procedure Checklist

Policies and procedures are reasonable safeguards to protect the personal and health information entrusted to us. But polices and good intentions alone are not enough; we also need to take action to ensure our policies are understood and are being followed by all our employees.

Training new and existing staff on privacy and security best practices is instrumental in making your healthcare practice a success and maintaining its fine reputation. Following a systematic approach to welcoming a new employee, transitioning an existing employee into a new position, or offboarding an employee who is exiting will guarantee that valuable privacy and security training and accesses are completed.

Read this Privacy Breach Nugget that explains what can happen if you don’t have these good practices in place. Do You Know Where Your Policies And Procedures Are?

New Employee Orientation / Onboarding

New employees are a welcome addition to any team and there is a vast amount of training that needs to take place from general procedures on how to handle phone calls to signing confidentiality oaths to becoming familiar with all policies and procedures, in addition to learning the everyday job duties for their own position.

Since privacy is good for business, we do not want to miss any important opportunities to train our new staff on privacy and security best practices. Using the Employee Privacy and Security Checklist will help facilitate training discussions and document the authorized accesses of each employee.

Existing Employees / Annual Review

The checklist will also act as a tool for each employee at their performance review. Provide positive feedback and observations of an employee’s successes in protecting personal information. Discuss opportunities for improvement, too. This is also a good time to review an employee’s current authorized role-based accesses and determine if any changes are needed to match the employee’s current job duties.

Ensure that the employee still has ‘tokens’ that they were given at the time of their hire, like identity badge, keys to the clinic or Alberta Netcare RSA fob.

Privacy and security best practices dictate that confidentiality oaths should be signed on an annual basis and annual privacy awareness and security refresher training should also be provided to all employees. In the event of a privacy incident or breach, it is imperative that a healthcare practice can prove by their documentation that regular privacy and security training is provided to their staff.

Transferring / Exiting Employees

When an employee transitions into a new role or is terminated, review and update the privacy and security checklist to ensure that access and permissions are appropriately modified or terminated.

Custodian Responsibility

Custodians have an obligation to ensure reasonable safeguards to protect the privacy and security of health information. This includes having appropriate policies and procedures in place, as well as demonstrating and documenting that you have implemented your plans. This is a requirement of professional college standards of practice and privacy legislation like the Health Information Act (HIA).

See the article Do You Know Where Your Policies And Procedures Are? to learn what can happen to you if you don’t have your employee training process well documented

The Employee Privacy and Security Checklist will make it easy for you to ensure your new hires, existing employees, and transferring or exiting employees are privacy and security compliant.

Download the FREE Report - Employee Privacy and Security Policy and Procedure Checklist Template

Your practice also needs to have policies and procedures that set out how you ensure the privacy, confidentiality, and security of the health information you collect, use, and disclose. Don't know which policies and procedures you need? Download the Privacy and Security Policies and Procedures Checklist below!

Show Me the Policy and Procedure Checklist!

Practice Management Success

If you are a member of Practice Management Success, login and access the webinar replay, and the policy, procedure, and checklist template.

Not a member? Join today!

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies And Procedures Are?

Why Do You Need Health Information Policies and Procedures?

Healthcare Policies And Procedures: Essential in EVERY Practice

New! Health Information Policy and Procedure Manuals

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security expecially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

checklist, clinic, health care, healthcare, medical, policy, Practice Management Success, privacy, procedure, template

CHIMA’s Emerging Privacy Management Practices in Health Care series

Posted on July 30, 2020 by Meghan in Blog

Emerging Privacy Management Practices in Health Care

I'm tickled pink to be the facilitator for CHIMA's new continuing education series.

The Canadian Health Information Management Association (CHIMA) recently launched a live, 5-part privacy series, Emerging Privacy Management Practices in Health Care, beginning on August 6, 2020.

Telehealth and virtual care implementation has advanced 10 years in the last 3 months in response to the coronavirus (COVID-19) pandemic. This series covers the critical aspects of implementing modern privacy management practices in your health care organization. This series is suitable for individuals with privacy-related roles (e.g., managers, vendors, or employees) across the continuum of health care (e.g., acute, primary, long-term or community care).

Each module will cover a privacy-related topic area including privacy awareness, release of information (ROI), access and disclosure, security/cybersecurity, and breach management. Environment overviews are shared throughout the series along with new opportunities for health information professionals in both traditional and emerging roles. By keeping current with these trends, health information professionals will be better prepared to assume new roles within privacy management.

Attend the live webinars to participate in a Q&A period with series facilitator and industry expert Jean L. Eaton.

Learn more at echima.ca/privacy-series

Speakers:

Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor with Information Managers Ltd.

Jean L. Eaton is a Certified Health Information Management (CHIM) professional, and privacy awareness training facilitator.

She has had the honour of sharing her passion for practical privacy and confidentiality advice with hundreds of medical clinics, health care practices, and organizations across Canada and the United States.

Jean has over 20 years of experience in health information management and health care administration and over 15 years in her independent privacy consulting practice. She makes practical recommendations for thousands of independent health care providers to help them comply with privacy legislation and create efficient practices.

Jean is also a keynote speaker on the topic of privacy breach management and serves as an on-demand ‘virtual privacy officer’.

The live webinars will occur on the first Thursday of each month from August to December.

Module	Date	Time
1. Privacy awareness	August 6, 2020	12:00 – 1:30 pm EST
2. Release of information	September 3, 2020	12:00 – 1:30 pm EST
3. Access and disclosure in patient portals, information sharing, and health information exchange environment	October 1, 2020	12:00 – 1:30 pm EST
4. Security/cybersecurity	November 5, 2020	12:00 – 1:30 pm EST
5. Privacy breach management	December 3, 2020	12:00 – 1:30 pm EST

Purchase Your Series Pass Here!

access, cybersecurity, health care, Health Information Management, healthcare, medical, privacy, privacy awareness, privacy management, security, telehealth, virtual care

Privacy Awareness in Healthcare Training: Dental Practices

Posted on June 15, 2020 by Meghan in Blog, Services

NEW! Privacy Awareness in Healthcare Training – Dental Practices

Privacy Awareness Training for Dental Practices

Is your dental clinic in compliance with the Alberta Dental Association & College, Health Information Act (HIA) and Personal Information Protection Act (PIPA)?

Dentists and dental practices in Alberta are required to have an ongoing privacy program to ensure the protection of private records and patient information. The appropriate collection, use, and disclosure of personal information is critical to maintaining privacy for patients that choose to trust in your practice. Accomplishing this important goal demands an up-to-date training strategy.

Regular privacy awareness training protects patients, employees and your business. The key components of your training strategy must revolve around ensuring HIA compliance to mitigate risk of a privacy breach. Everyone in your clinic – dentists, dental assistants, dental hygienists, office staff, contractors and even practicum students and volunteers must understand how to correctly handle personal information, so it remains confidential and secure. Maintaining high standards that safeguard information privacy and security is an essential aspect of asset management for any health care provider.

Corridor Interactive's training includes a personalized printable certificate of achievement to support compliance and may be used for your continuing education credits, too! Our training delivers industry best practices and is ideal for all levels of staff in any dental organization or clinic that collects, uses or discloses personally identifying information. This includes direct care providers in your practice as well as privacy officers, support staff and any other employees who are not directly involved in patient care.

Corridor’s Privacy Awareness Training for Dental Practices educates dentists, dental assistants, dental hygienists, and all office staff on:

Understanding Privacy
Privacy Principles
Collection, Use & Disclosure
Roles & Responsibilities
Privacy Breaches
Right of Access
Safeguards
What is “Health Information”
Handling Personal Sensitive Health Information

If You Are A

dentist,
dental assistant,
dental hygienist,
or work in a dental practice

You Need Privacy Awareness in Healthcare Training – Dental Practices

You will

Understand patient and client privacy rights.
Respect personal health information and your obligations.
Confidently and correctly handle personal health information.
Use reasonable safeguards to protect personal health information (PHI).
Recognize and respond to a privacy breach
Support key policies, procedures and risk management programs in your healthcare practice.

Interactive Online Learning Experience provided by Corridor Interactive

Corridor Interactive’s Buy Now Training Programs give you access to the most current information available, at your convenience. Complete your course all at once, or in multiple sessions from any location – it’s up to you. All you need is an internet connection and an email address to get started…it’s that easy!

Fits into your schedule – you can start, pause at anytime, and return to the course exactly where you left off.
Easy to use – navigation buttons makes it easy to continue to the next topic or pick and choose the order that you want to see the content.
Get started immediately – the entire course is ready for you!
Work at your own pace – you have access to the course for three (3) months. Most students complete the course in under 2 hours.
You can listen to the narration for each module.
Practical examples, too, to make it easier for you to apply what you have learned in the course to your job.
Links to extra resource material and websites related to your topic of study, to peruse at your convenience.
A printable Certificate of Completion, available as soon as you successfully complete your course.
An audit trail and record of your course activity and training history.
Self-directed learning features including the ability to pause your course at any time and resume later, right from where you left off.
Unlimited access to your course and resources for the duration of your subscription term.
Technical support with a one-business day turnaround for end-user support help and questions.
Automatic emails when you complete your course, or reminders if you have not completed.

Developed by Corridor’s team of seasoned software specialists and instructional designers, this unique online learning application is the optimum vehicle for delivering learning content.

$30 per subscription

Give your staff the knowledge and tools they need to apply policy in their day-to-day work AND prevent a privacy breach with privacy awareness training.

Privacy Awareness in Healthcare Training – Dental Practices

Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information. Learn basic healthcare privacy principles and how to handle personal health information, use safeguards, and recognize and report a privacy breach.

Sounds great! Sign me up!

This self-paced on-line education includes:

9 Modules
6 Quizzes
2 Case Studies
Final Exam

Certificate of Completion

“When we know better, we can we do better.”

As an employer and health care provider, you are responsible to provide training to all of your employees about privacy awareness. Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information.

I am constructively obsessive about privacy and confidentiality in the healthcare sector–and I think you should be, too! I designed this course to assist healthcare providers, clinic managers, practice managers, privacy officers and independent healthcare practice owners provide practical privacy awareness training that was easy to implement, consistent content, cost-effective and meaningful to your day-to-day business.

When each member of your independent healthcare practice completes this privacy awareness course, you will have clearer expectations and confidence that your team will maintain the privacy, confidentiality and security of your patient’s health information. Give your patients the gift of privacy. Improve your healthcare practice with privacy awareness education.

Jean L. Eaton, Your Practical Privacy Coach Information Managers Ltd.

Frequently Asked Questions

How can I access the course?

The course, Privacy Awareness in Healthcare Training – Dental Practices is available on-line from any internet enabled device. You can use your desktop computer, smart phone or tablet to view the slides and even hear the narration.

How long is the course?

Most students complete the course in under 3 hours. You can start and stop the course at any time. Let's say you decide to take 20 minutes each day to work on the course. You can login and start the course right away. When you come back to the course the next day, you can start right from where you left off. You will have all the modules and the post-test done within 6 days. Don't worry about missing a few days – you have access to the course for a full 3-months!

This is my first job in a dental practice. Do I know enough to start the course?

You bet! The course is easy to read and I explain all the terms that you need to know. There are a lot of practical examples, too, to make it easier for you to apply what you have learned to your job.

I've worked in healthcare for a long time. Do I still need to take this course?

You bet! Seasoned professionals like yourself have an extra obligation to share your knowledge with new workers. This course will help you to refresh key principles and suggest wording, examples, and key messages that you can use to train new employees to their specific tasks in the workplace. The course will help you to advocate for the privacy rights of your patients. Unfortunately, we have many examples where trained professionals who “should have known better” make errors in judgement causing privacy breaches that affect our patients, our business, and the reputation of healthcare. Healthcare practitioners and owners have a responsibility to ensure that everyone in the practice receive comprehensive privacy awareness training regularly.

Will I get a certificate of completion that I can give my employer?

Yes – at the end of the course, you will have the opportunity to complete a short on-line quiz to confirm that you understand the key concepts. Then you will have access to a Certificate of Completion that you can download and share with whomever you choose.

Can I get continuing education credits with my professional association?

Maybe! If you are a member of a professional association and you would like to seek credits from for taking this course, please let us know so we can take steps to request pre-approval. Often, professional association and colleges will grant continuing education (CE) credits based on your certificate of completion.

How much is the course?

The course is $30 per individual 3 month subscription. Click here to buy it right away.

I think everyone in my healthcare practice should take this course! Can I buy in a group package?

Yes – Privacy Awareness in Healthcare Training – Dental Practices is available in group packages, or it can be customized to incorporate your organization’s privacy policy and practices. Employers can monitor the employee’s training progress and receive a report of employee’s satisfactory completion of on-line quizzes. Track annual privacy awareness training through our online platform to demonstrate your compliance with legislation. Contact Corridor Interactive for more information.

I agree that privacy awareness training is important - but I don't work in healthcare. Do you have a corporate privacy awareness program?

While these programs have been developed with health care providers in mind, the privacy principles and fundamentals of protecting personal information are appropriate for any organization that collects, uses, and discloses personally identifying information. Contact us for information about our Corporate Privacy Awareness Program!

Interested in Group Training?

Employers can also purchase training for groups of employees; employees can access the internet based training at a time and location convenient to them. Employers can monitor the employee’s training progress and receive a report of employee’s satisfactory completion of on-line quizzes. Track annual privacy awareness training through our online platform to demonstrate your compliance with legislation.

Email Corridor Interactive to Order Group Training

Corridor Interactive, dentists, health care, Health Information Act Training, healthcare, healthcare provider, primary healthcare, privacy, privacy awareness, privacy breach, training

When Do You Need a PIA Amendment?

Posted on July 23, 2019 by Jean Eaton in Blog

A Privacy Impact Assessment Is Good For Business

A privacy impact assessment (PIA) is part of a regular business process if you collect, use, or disclose personal health information in your healthcare practice. When you have a previous PIA that has been prepared, submitted to the Office of the Information and Privacy Commissioner (OIPC) and it has been accepted for use–well, that is not the end of your PIA journey.

You need to ensure that you are updating and amending your PIA as your practice matures and as you make administrative and technical changes to the procedures in your practice.

You need a PIA Amendment when you have a previously accepted PIA and any one of these common triggers below.

You Have a PIA That Was Written More Than 2 Years Ago

It is time to review and update this!

Under Section 8(3) of Alberta’s Health Information Regulation, custodians must periodically review the safeguards they have in place to protect health information privacy. This means that custodians need to regularly review the privacy risk mitigation plans set out in PIAs to ensure they continue to protect against reasonably foreseeable risks to the privacy of health information. The submission of your PIA to the Office of the Information and Privacy Commissioner (OIPC) is mandatory and must precede implementation of your new system or practice.

Change in Health Information Act (HIA) Legislation and Regulations

The HIA has undergone significant amendments in 2006, 2010, most recently in August 2018. Make sure that you have updated your privacy breach management program and include mandatory privacy breach notification to the (OIPC) and the Minister of Health (MOH). Again, ensure that your team training has been updated so that they know how to spot, stop, and report a privacy breach. (See Mandatory Privacy Breach Notification)

Changes In Your Electronic Medical Record or Computer Network

You have the same EMR database, but maybe the configuration has changed. For example, a change from a local to an application service provider (ASP) or cloud-based data centre or Software as a Service (SAS) model would trigger a PIA amendment.

Another trigger is a change in your computer network vendor or changes in wireless networking, remote access, or implementing mobile devices.

PIA amendment EMR computer network

Change in Participating Physicians / Privacy Officer

Since your original PIA, you may have new custodians, including physicians, registered nurses, chiropractors, and other health professionals named in the HIA that have joined or left your practice. Your Privacy Officer may have changed, too. Your amendment should include an up-to-date listing of custodians and privacy officers.

New Users / Information Sharing

There have been many recent information sharing initiatives in healthcare. You might now plan to participate in evaluation projects, patient panel management, or other community initiatives. Make sure that you have your PIA amendment and information manager agreements completed, too. (See – The Top 3 Agreements Your Healthcare Practice MUST Have (and Why).

A quick word of caution: if your new information sharing project includes data matching–the creation of new information by combining two or more sets of data—requires custodians to prepare a privacy impact assessment before performing data matching involving health information (HIA sections 70, 71). The custodian that carries out the data matching is responsible for preparing the Privacy Impact Assessment.

PIA amendment new users

Communicating With Patients

If you are adding new technology to keep in touch with patients for appointment reminders, on-line appointment booking, secure email or patient portals, these will trigger a PIA amendment or, perhaps, a project specific PIA. Make sure that your policies and procedures are up to date, too. (See – Can You Use Text Message With Your Patients? )

PIA Amendment Communicating with patients

Alberta Netcare Portal (ANP) / Community Integration Initiative (CII) / CPAR

ANP updated their PIA in 2016 and, therefore, you need to make sure that your corresponding policies and procedures and training have been updated, too. Remember – when you agreed to participate in ANP, you promised that you would review your threat risk analysis (TRA) and update your Provincial Organization Readiness Assessment (p-ORA) when changes occur and at least every two years.

If you want to participate in new initiatives like CII and CPAR, you need to review and update both your PIA and your p-ORA, too.

Maturing Practice

You have learned and grown since your original Privacy Impact Assessment submission. Have you implemented everything that you said that you would? Can you demonstrate that your teams have received privacy and security awareness training? Have you reviewed your Health Information Management Privacy and Security policies and procedures in the last two years?

Keeping up to date without any other significant changes to your practice may not trigger a Privacy Impact Assessment amendment. Make sure that you document your careful review so that you are prepared for your next Privacy Impact Assessment submission.

Important Business Decisions

Creating and reviewing your PIA regularly can help you to spot errors or gaps between the way that you do the work in the clinic and the way that you said that you were going to implement in your clinic.

The questions that we ask during the PIA process are important. The time that you take now to identify the potential risks and prevent those incidents from happening may save you time, money, reputation and even jail time in the future.

You Know Your Practice Better Than Anyone Else

When you have a coach to guide you through the PIA amendment process, provide you with templates, and give you feedback on your work in regular live training webinars, join me in the on-line step-by-step course, Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments.

Find out more here: Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments or send me an email.

Practice Management Nuggets Podcast

This topic is included in our Practice Management Nuggets podcast! Be sure to tune in to the podcast episode

When Do You Need a PIA Amendment? | Episode #078

Listen to the Podcast

#PrivacyImpactAssessment, #ProtectYourPractice, Alberta, clinic, health care, Health Information Act, healthcare, HIA, how to do a pia, medical, Netcare, PIA, Privacy Impact Assessment, privacy impact assessment amendment, training

Can You Predict Successful Privacy Awareness Compliance Training?

Posted on June 13, 2019 by Jean Eaton in Blog

Protect your organization and your patients.

Investing in privacy awareness compliance training that is engaging, practical, and easy to access will prevent a privacy breach in your healthcare practice.

But, how do you find the right training?

Look for a strong completion rate.

A high completion rate is the single best predictor of successful privacy awareness compliance training. Most on-line courses have a 6-15% completion rate.

The Privacy Awareness in Healthcare: Essentials program from Corridor Interactive has a completion rate of 95%.

And the investment is only $35 per person.

Give your patients the gift of privacy. Improve your healthcare practice with privacy awareness education.

HURRY! A privacy breach can happen at any time!

health care, healthcare, HIA, PHIPA, privacy, privacy awareness compliance training

Are You Drowning in Patient Referrals?

Posted on May 13, 2019 by Jean Eaton in Blog

Are you drowning in patient referrals?

Playing telephone tag with specialists and patients?

Faxing is old technology, a massive time waster, and can be very costly both financially and emotionally when faxes get lost in the system.

In our Practice Management Nugget Webinars for Your Healthcare Practice series on October 12, 2017, I spoke with Dr. Denis Vincent, Physician Founder of ezReferral. There are many things that you can do right away to improve patient referral management.

Dr. Denis Vincent's #1 Tip to improve the patient referral process:

“Find more effective ways to involve and engage the patient in the referral process.”

The traditional referral workflow is inefficient

Using phone and fax messages from the referring provider to the consulting provider and back to the referring provider and then to the patient takes time. And every time that the message is transferred, there is a risk that the message is not understood or is lost.

So, we have a tendency to create complicated backup systems to double-check and make sure that none of the steps get missed. Many practices have created a ‘referral binder’ monster – the master referral list for the clinic. This binder is full of post-it notes, tags, and phone messages and reminders to help us make sure that the referral appointment is booked, the patient is notified, and the appropriate follow-up takes place.

Even in practices with an electronic medical record (EMR), we use a paper process to ‘make it easier’ to track patient referrals.

But the binder can only be used by one person at a time and only seen by the people in that office. The patient has no idea about the status of their referral so they phone the office regularly to ask for updates.

But wait! We want to make sure that everyone knows what is happening with the referral. We leave phone messages and voice mail and talk to the patient, the specialist, the referring provider to remind, confirm, and follow-up.

Save 60 minutes for each patient referral

Denis Vincent suggests that his family physician office referral coordinator used to spend an average of 75 minutes on each patient referral. That referral cycle can take months just to get to the point where the specialist appoint is confirmed and the patient is notified.

Now, using ezReferral, the entire referral process takes an average of 15 minutes of staff time per patient referral. That is a savings of 60 minutes per referral!

You can do this when you use a synchronous patient referral management system. EzReferral is a secure cloud-based solution that manages the patient referral process with clear real-time communication that the referring provider, specialist provider, and the patient can see at any time.

Multi-disciplinary healthcare team

ezReferral is designed to work with any multi-disciplinary referral pattern in your practice. For example, family physician to specialist physician or any other healthcare provider.

14 days from referral order to confirming appointment. Can you do that?

Starting in January 2017, physicians in Alberta must meet new time frames for acknowledging and responding to referral requests. If you are asked to consult on a patient, you will have:^[1]

7 days to acknowledge receipt of the request to the referring healthcare provider.
14 days to let the referring healthcare provider know whether you can accept the referral.
14 days to contact the patient to schedule an appointment or to confirm the status of the referral, if no appointment date has been determined.
30 days to provide the referring healthcare provider with a written report after your first appointment with the patient.
Consulting physicians will also need to be reasonably available to respond to referral requests and ensure their process is accessible.
Referring physicians will have to make sure they include all pertinent clinical information (including relevant investigation results) and the purpose of the consultation with their request, to enable the consulting physician to determine whether he/she can accept the referral within the mandated 14-day time frame.

([1] College of Physicians and Surgeons of Alberta)

These are good standards to meet for every type of healthcare provider.

You can meet these standards when you use a synchronous patient referral management system. EzReferral is a secure cloud-based solution that manages the patient referral process with clear real-time communication that the referring provider, specialist provider, and the patient can see at any time.

ezReferral Patient Text Message

Patient Benefits

Patient Engagement
Patient Satisfaction
Patient Peace of Mind
Better Patient Care

Referrer Benefits

Happier patients
Reduce workload
Eliminate the “black hole”
Satisfied Staff

Specialist Benefits

Reduced workload
Reduce no-shows
Reduce phone calls
Reduce overhead
Audit trail

Testimonial from Edmonton Eyelids

“Our office has been using ezReferral since July 2016. It’s easy to rave about this powerful communication tool – each referral received through this system takes a fraction of the time required through our faxed referral system, due mainly to the fact that most patients choose to receive referral notifications by text and/or email (thereby eliminating the “middle ground” in which some referrals can get lost). What truly sets ezReferral apart from ANY online interface that I have ever used: the support staff is accessible, proactive, and fast.”

Shawna Sazwan
Edmonton Eyelids

Dr. Vincent has implemented ezReferral in his family practice. I have to admit, I’m blown away with his experience that 95% of the patients choose to receive their notifications by text messaging. That’s much better than I anticipated.

This solution is ideal for healthcare practices with referrals within the medical community and even better when you are working with multidisciplinary referral teams. This works well for both paper based and electronic medical record based practices.

Watch the webinar replay now to see how you can save time, money, while improving the patients’ access to health care in a timely, efficient manner. You will also discover the key steps and timelines to prepare for implementation in your practice.

Practice Management Nugget webinar interview with Denis Vincent was recorded live on October 12, 2017.

Watch the Webinar

If you are a member of Practice Management Success, login here and view the webinar replay and access the members-only resources.

#PracticeManagementNuggets, Dr. Denis Vincent, ez Referral, ezReferral, fax, health care, healthcare, medical, patient referral management, practice management, review ezReferral

What is a PIA?

Posted on March 11, 2019 by Jean Eaton in Blog

Have you ever been in a situation where you had a great idea that you wanted to implement and then someone asked you if have a PIA for that?

Click on the >> arrow above to play the video.

Maybe you wanted to add a new digital health app to make it easier for patients to book appointments with you, or get access to Alberta Netcare Portal, use the internet to get on-line consultations for your patients, or start using a new EMR.

Or maybe you have a new healthcare practice and you are excited about choosing the right location, the right equipment, the right vendors that fit your budget and your goals.

A PIA is a practical business tool in your healthcare practice.

A PIA is an important tool that you can use to help you with that project management.

It will help you anticipate risks to the project before it starts and avoid serious problems, wasted time and money.

The PIA process requires you to have written policies and procedures so that you can implement the project effectively and train your staff consistently. Sometimes a PIA is a requirement of legislation. But it is always a best practice whenever you implement a project that includes personal health information.

Watch the video now to take a look at what is a PIA, what will a PIA do for you, and when you need a PIA. Just click on the image above to play the video.

Would you like more information about Privacy Impact Assessments for your healthcare practice?

By entering your email address above, you are requesting about upcoming training and related resources. You can opt out at any time, and we'll never rent or sell your email address.

health care, Health Information Act, healthcare, HIA, Netcare, PIA, privacy, Privacy Impact Assessment, What is a PIA?, what is a privacy impact assessment

The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

Posted on November 29, 2018 by Jean Eaton in Blog

In order to provide services, healthcare practices must collect pertinent information from patients. This data gathering often includes many sources of information, across different types of technology, among multiple vendors. Good business practices and health records management is supported by three agreements your healthcare must have: information manager agreement (IMA), information sharing agreement (ISA), and successor custodian agreement.

For instance, when a patient attends a clinic, their details are nearly always entered into a computer software program to maintain demographic information, manage patient appointments, and to process payments. Often, health service providers (including physicians, pharmacists, chiropractors, dentists, psychiatrists and more) record their patients’ notes into an electronic medical record (EMR).

Patient information is shared between providers where required. For example, when the patient visits a diagnostic lab for testing, results are often transmitted electronically to the ordering physician’s fax machine or to the EMR.

Custodians including physicians, pharmacists, chiropractors, dentists, and psychiatrists, as defined by the Alberta’s Health Information Act (HIA), must follow HIA legislation when they collect, use, and disclose health information.

Often, custodians are also the owners of independent healthcare practices. However, an owner of a healthcare practice is not the custodian if they are not also an active member of a regulated health profession named as custodians in the HIA.

1. Information Manager Agreement

The HIA allows custodians to contract with other health service providers and vendors for the purposes of providing information management or information technology services, so patients can receive health services, and make payments. This often requires the custodian to share patient information with a vendor (or give them access to) so the vendor can process, store, or provide information as needed.

The custodian selects one or more business to provide the services, equipment, or software to assist in the management of health information. For example: EMR provider, contracted transcriptionist, billing agent, remote backup service, etc. These businesses are known in the HIA as information managers.

Before sharing health information with someone else, the custodian must ensure that the partners and vendors have reasonable safeguards in place to protect sensitive health information. The custodians must ensure that there is a written agreement between the custodian and the information manager. These agreements are known as “Information Manager Agreements.” This requirement is stated in the HIA section 66(2).

The Information Manager Agreement (IMA) is one of three crucial agreements a healthcare practice must have in place.

If You Don’t Have an IMA

If you are a custodian who uses vendors as part of your business and you do not have an IMA with that vendor…

You are in breach of the HIA.
You may incur fines under the HIA.
You may face sanctions and disciplinary actions from your professional regulatory college.
Almost certainly, you will encounter conflicts, poor communication, between yourself and the vendor(s) and the other participating custodians in your practice.
You may lose control of the health information as reported in the Investigation Report H2013-IR-01from the Alberta Office of the Information and Privacy Commissioner (OIPC).

In a press release from the Alberta OIPC in 2013, Information and Privacy Commissioner Jill Clayton noted that:

“The HIA allows custodians to disclose health information to IT service providers, such as EMR vendors, under an appropriate Information Manager Agreement. When custodians do not sign these agreements, they may find themselves in the unfortunate position of losing control over the health information they need to provide health services.”

Investigation Report H2013-IR-01 (https://www.oipc.ab.ca/news-and-events/news-releases/2013/investigation-report-h2013-ir-01.aspx)

Who Must Create the Information Manager Agreement?

The custodian is responsible to ensure that there is an appropriate IMA created and signed.

The information manager can assist the custodian by preparing templates of the IMA including specific details of the services that they will provide and the safeguards that the vendor will implement to protect personal health information.

Key Points About IMAs

A few important notes about IMAs.

IMA must be signed by the custodian.
Agreements signed by individuals who are not custodians are not valid under the HIA.
Custodians are required under the HIA to have an IMA with the vendor before disclosing health information. If there is no agreement in place, the custodian is in breach of the HIA.
Custodians are responsible for the health information that they collect, use, and disclose. Therefore, the custodian is responsible for the IMA and to ensure that the health information will be handled confidently and securely.

Key Points IMA

The custodian can select the best vendor and information manager for the job. The vendor who understands the requirements of the HIA and who can demonstrate that they have implemented the appropriate reasonable safeguards and can assist the custodian to develop an appropriate IMA is, in my opinion, demonstrating a significant competitive advantage.

All healthcare providers in a community practice should spend time when creating their business to establish good business practices, including developing written contracts and agreements to improve the efficiency of the business and to make things happen in the way that they are planned.

Here is a common example

Dr. Alice and Dr. Mark created a welcoming family medical practice in a new sub-division of their city. They each worked hard to attract new patients, hire and train staff, and develop a profitable business.

In the last few years, Alice and Mark had differences of opinion on how to grow their business. In the end, Alice decided that this type of practice wasn’t for her. She decided to leave and join a larger practice in a neighbouring subdivision. Alice wanted to take her patient’s records with her to her new practice and continue to see her patients at the new location.

Mark, who had signed the IMA with the EMR vendor, did not agree to Alice’s request to transfer her patient records to her new group practice.

Alice and Mark argued and eventually involved a professional mediator to help them resolve their business conflict. Hurt feelings between the providers and staff, costly delays in their business and expenses could have been avoided if Alice and Mark had established clear expectations in the event of the termination of their business partnership when they started their group practice. An IMA between custodians in a group practice is a recommended best practice.

When You Have Multiple Custodians in Your Healthcare Practice

When the practice has multiple providers, the owner and custodian frequently assumes responsibility for maintaining the contracts and IMAs with the vendors. Each of the participating healthcare providers may delegate the responsibility of maintaining the vendor arrangements to the custodian owner. This can be achieved with an IMA between the owner / custodian and each participating custodian.

Custodian Owner IMA

Each healthcare provider custodian is considered the custodian of the health information that they collect. The custodians can jointly agree to all use the same EMR. This provides continuity of care for the patients and economy of scale for the participants of the practice.

When the owner/custodian signs the agreement with the EMR, they become the signatory custodian. The EMR vendor takes their instructions from the signatory custodian.

The owner / custodian is now an information manager for all the participating custodians. but does not become a custodian of the health information provided to them in their roles as an information manager.

For example,

Dr. Bill opened his medical practice, ABC Clinic. Later, additional physicians were recruited to work at ABC Clinic. The physicians are each custodians as defined by the HIA.

Dr. Bill assumes the responsibility for the operations of the clinic including the computer network and the contract with the EMR vendor. Dr. Bill is the information manager for the patient records at the clinic.

Each physician signs an IMA with Dr. Bill and agree that he will continue to manage the patient records on their behalf. Dr. Bill is operating as an information manager.

In his role of the information manager, Dr. Bill must follow the instructions from each physician, the custodian, as it relates to the management of their patients’ records.

2. Information Sharing Agreement (ISA)

When you have more than one physician in your practice, you need an agreement about how you will decide to manage the personal health information in your practice.

An Information Sharing Agreement (ISA) focuses on the internal decision making about all things related to personal health information whereas, an IMA is an agreement with a single vendor about the services that the vendor provides.

ISA IMA

An ISA may include things related to the services that a vendor provides but is not limited to just vendor services.

It also includes decisions about the process to ensure appropriate role based access to personal health information in the EMR, computer network, and paper formats; the regular review of health information privacy and security policies and procedures, ensuring privacy and security awareness training, the regular review of administrative, technical, and physical safeguards in the practice, and so on.

In larger organizations or when several smaller organizations participate in an information sharing initiative, a Data Management Committee may provide oversight and facilitate this process.

An ISA is a requirement of the College of Physicians and Surgeons of Alberta.

Identifying a successor custodian is also a requirement of the College of Physicians and Surgeons (CPSA).

3. Successor Custodianship Agreement

As a business owner, you need to plan a successor to the business. This might be an interim or short-term decision to ensure continuity during an absence or future retirement planning or unexpected illness or death.

In healthcare, physicians and custodians have the added responsibility as the ‘gatekeeper’ for patient records. In the event of a sudden inability to meet these responsibilities, physicians need to identify a successor custodian to ensure appropriate and continued access by patients to their health information for their continuing care and treatment and to ensure that the continuing confidentiality, security, and access to patient records continue to be fulfilled.

Have you identified a successor custodian? Each of the physicians in your group practice should also identify their own successor custodian.

This is a CPSA requirement and should also be included in the Privacy Impact Assessment if you have this information available. See CPSA, Patient Record Retention, s.5:

A regulated member acting as a custodian must designate a successor custodian to ensure the retention and accessibility of patient records in the event the regulated member is unable to continue as custodian. (Reference: Health Information Act Section 35(1)(q)

If you are a chiropractor, the Alberta College and Association of Chiropractors (ACAC) further requires its members to name a chiropractor as the successor custodian to maintain the status of ‘chiropractic’ records. (See the ACAC’s Standards of Practice s5.3 Custodianship of Health Records.)

A chiropractor, as a custodian of health records, is responsible for the care and control of the health records in their practices as required by the Health Information Act of Alberta. A custodian of active chiropractic files must be under the custody or control of an active, registered member of the ACAC.

Note that under the Health Information Act, a chiropractor may disclose files to another custodian who is not a chiropractor, and only a chiropractor may have custody or control of chiropractic files. Chiropractic files disclosed to a non-chiropractor should no longer be considered chiropractic files.

A custodian must implement technical and physical safeguards to protect the confidentiality of the information and privacy of individuals as well as protections against reasonably anticipated threats to the security or integrity of the information. A custodian must also defend against unauthorized uses, disclosures or modifications of the information. Safeguards must be periodically assessed and documented in policies and procedures.

If you are working in an owner/custodian scenario discussed above, clearly identifying a successor custodian becomes imperative. An unplanned absence of the owner / custodian can seriously jeopardize the business and the continuing care and treatment of patients.

The custodian can, but is not required to, name another custodian in the same practice to be their successor. Whatever your decision, ensure that this is well documented and easily accessible to the other custodians and key decision makers in your organization in the event of an emergency.

The best time to create IMA, ISA, and Successor Custodianship Agreements is when you start your healthcare business.

The second best time in now.

What are you waiting for?

If you need assistance, contact Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor with Information Managers. I’m here to help you with your Practice Management Success.

Download the FREE Report - Top 3 Agreements Your Healthcare Practice MUST Have

If you are a member of Practice Management Success, login here to access the Top 3 Agreements.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

chiropractors, dentists, health care, Health Information Act, healthcare, HIA, IMA, information management agreement, information manager agreement, information sharing agreement, ISA, medical, physicians, Practice Management Success, successor custodian

1 2 3 ›»