When Do You Need a PIA Amendment?

Posted on July 23, 2019 by Jean Eaton in Blog

A Privacy Impact Assessment Is Good For Business

A privacy impact assessment (PIA) is part of a regular business process if you collect, use, or disclose personal health information in your healthcare practice. When you have a previous PIA that has been prepared, submitted to the Office of the Information and Privacy Commissioner (OIPC) and it has been accepted for use–well, that is not the end of your PIA journey.

You need to ensure that you are updating and amending your PIA as your practice matures and as you make administrative and technical changes to the procedures in your practice.

You need a PIA Amendment when you have a previously accepted PIA and any one of these common triggers below.

You Have a PIA That Was Written More Than 2 Years Ago

It is time to review and update this!

Under Section 8(3) of Alberta’s Health Information Regulation, custodians must periodically review the safeguards they have in place to protect health information privacy. This means that custodians need to regularly review the privacy risk mitigation plans set out in PIAs to ensure they continue to protect against reasonably foreseeable risks to the privacy of health information. The submission of your PIA to the Office of the Information and Privacy Commissioner (OIPC) is mandatory and must precede implementation of your new system or practice.

Change in Health Information Act (HIA) Legislation and Regulations

The HIA has undergone significant amendments in 2006, 2010, most recently in August 2018. Make sure that you have updated your privacy breach management program and include mandatory privacy breach notification to the (OIPC) and the Minister of Health (MOH). Again, ensure that your team training has been updated so that they know how to spot, stop, and report a privacy breach. (See Mandatory Privacy Breach Notification)

Changes In Your Electronic Medical Record or Computer Network

You have the same EMR database, but maybe the configuration has changed. For example, a change from a local to an application service provider (ASP) or cloud-based data centre or Software as a Service (SAS) model would trigger a PIA amendment.

Another trigger is a change in your computer network vendor or changes in wireless networking, remote access, or implementing mobile devices.

Change in Participating Physicians / Privacy Officer

Since your original PIA, you may have new custodians, including physicians, registered nurses, chiropractors, and other health professionals named in the HIA that have joined or left your practice. Your Privacy Officer may have changed, too. Your amendment should include an up-to-date listing of custodians and privacy officers.

New Users / Information Sharing

There have been many recent information sharing initiatives in healthcare. You might now plan to participate in evaluation projects, patient panel management, or other community initiatives. Make sure that you have your PIA amendment and information manager agreements completed, too. (See – The Top 3 Agreements Your Healthcare Practice MUST Have (and Why).

A quick word of caution: if your new information sharing project includes data matching–the creation of new information by combining two or more sets of data—requires custodians to prepare a privacy impact assessment before performing data matching involving health information (HIA sections 70, 71). The custodian that carries out the data matching is responsible for preparing the Privacy Impact Assessment.

Communicating With Patients

If you are adding new technology to keep in touch with patients for appointment reminders, on-line appointment booking, secure email or patient portals, these will trigger a PIA amendment or, perhaps, a project specific PIA. Make sure that your policies and procedures are up to date, too. (See – Can You Use Text Message With Your Patients? )

Alberta Netcare Portal (ANP) / Community Integration Initiative (CII) / CPAR

ANP updated their PIA in 2016 and, therefore, you need to make sure that your corresponding policies and procedures and training have been updated, too. Remember – when you agreed to participate in ANP, you promised that you would review your threat risk analysis (TRA) and update your Provincial Organization Readiness Assessment (p-ORA) when changes occur and at least every two years.

If you want to participate in new initiatives like CII and CPAR, you need to review and update both your PIA and your p-ORA, too.

Maturing Practice

You have learned and grown since your original Privacy Impact Assessment submission. Have you implemented everything that you said that you would? Can you demonstrate that your teams have received privacy and security awareness training? Have you reviewed your Health Information Management Privacy and Security policies and procedures in the last two years?

Keeping up to date without any other significant changes to your practice may not trigger a Privacy Impact Assessment amendment. Make sure that you document your careful review so that you are prepared for your next Privacy Impact Assessment submission.

Important Business Decisions

Creating and reviewing your PIA regularly can help you to spot errors or gaps between the way that you do the work in the clinic and the way that you said that you were going to implement in your clinic.

The questions that we ask during the PIA process are important. The time that you take now to identify the potential risks and prevent those incidents from happening may save you time, money, reputation and even jail time in the future.

You Know Your Practice Better Than Anyone Else

When you have a coach to guide you through the PIA amendment process, provide you with templates, and give you feedback on your work in regular live training webinars, join me in the on-line step-by-step course, Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments.

Find out more here: Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments or send me an email.

Practice Management Nuggets Podcast

This topic is included in our Practice Management Nuggets podcast! Be sure to tune in to the podcast episode

When Do You Need a PIA Amendment? | Episode #078

Listen to the Podcast

#PrivacyImpactAssessment, #ProtectYourPractice, Alberta, clinic, health care, Health Information Act, healthcare, HIA, how to do a pia, medical, Netcare, PIA, Privacy Impact Assessment, privacy impact assessment amendment, training

When is a Privacy Breach a Privacy Breach?

Posted on July 13, 2019 by Jean Eaton in Blog

The biggest mistake in managing a privacy breach is not recognizing the privacy breach.

The second biggest mistake is not knowing what to do about it.

The recent publicity about the privacy breach in Alberta when a laptop with health information was stolen and came to the public's attention several months later is not the first news item of its kind. In fact, this happens frequently in healthcare, retail, government departments and other industries. This doesn't make it any easier to swallow and certainly doesn't make it right. But this is an opportunity for you, healthcare provider or practice manager, and vendor to make sure that you have good practices in place to manage your next privacy breach.

Health information is recognized as being particularly sensitive and important to the person that the information is about. It is so important, in fact, that a new breed of legislation was developed to set out specific rules to ensure that the health information has robust safeguards (administrative, technical, and physical) to keep the health information confidential and secure. In Alberta, the Health Information Act (HIA) was proclaimed in 2001 to help custodians (people or organizations who collect, use, and disclose health information) ensure that they have identified the risks to breach of health information and how to prevent those risks. The legislation also ensures that the people who the health information is about have access to their personal health information.

In August 2018, amendments to the HIA were proclaimed that make it mandatory to report a privacy breach that could result in harm to the Office of the Information and Privacy Commissioner (OIPC).

Privacy breaches come in all types and sizes. One of the most common forms of a privacy breach is when a clinic or healthcare provider intends to send a report to another healthcare provider for continuing care and treatment but it is sent to the wrong physician. Or, the referral request went to the correct physician but included extra information about another patient that was not part of the referral.

What Is Considered a Privacy Breach?

A privacy breach is an unauthorized access to or unauthorized collection, use, disclosure , loss, or disposal of personal or health information.

To each of us, our own personal health information is important. As a healthcare industry, we need to ensure that we recognize this and acknowledge that each privacy breach is important to the person the information is about. We need to make sure that we minimize the risk of the information being used inappropriately or maliciously. We need to acknowledge to ourselves and to our patients and clients that we are human and that sometimes we do make mistakes and we will strive to do better.

A ‘small' breach of one person one time might have a big impact to the individuals involved.

A ‘big' breach of a lost laptop might have a bigger magnitude affecting many individuals.

When a breach also meets the requirements of mandatory notification, a custodian must report the breach regardless of how many people's information have been included in the breach.

4 Step Response Plan

When you have a privacy breach, follow these four steps to manage the privacy breach incident.

Step 1 – Spot and Stop the Breach

Each breach is important and needs to be recognized. Contain the breach so that it doesn't get any bigger.

Step 2 – Evaluate the Risks

Your privacy officer will investigate the incident and learn about the size, scope, and details about the breach. Consider if there is a reasonable basis to believe that there is a risk of harm to an individual

Step 3 – Notify

Notify the custodian, the affected individuals and (now, with the 2018 amendments), the Alberta OIPC, Minister of Health, Alberta Health (if the breach includes Netcare) and others.

The individual who's information has been breached needs to be made aware of the problem and the risk that might be experienced so that they can be prepare to limit the risks. The custodian needs to know how to manage the privacy breach and report it – internally and perhaps to other stakeholders.

Step 4 – Prevent the Breach From Happening Again

Correct and monitor the incident(s). Actively take steps so that the breach does not happen again.

Not Sure What To Do?

You never know when a privacy breach will happen! Prepare now with a privacy breach management program and coaching from the Practical Privacy Coach!

Learn what to do if you have a privacy breach.

4 Step Response Plan, Alberta, breach, Health Information Act, HIA, OIPC, privacy, privacy breach, training

What is a PIA?

Posted on March 11, 2019 by Jean Eaton in Blog

Have you ever been in a situation where you had a great idea that you wanted to implement and then someone asked you if have a PIA for that?

Click on the >> arrow above to play the video.

Maybe you wanted to add a new digital health app to make it easier for patients to book appointments with you, or get access to Alberta Netcare Portal, use the internet to get on-line consultations for your patients, or start using a new EMR.

Or maybe you have a new healthcare practice and you are excited about choosing the right location, the right equipment, the right vendors that fit your budget and your goals.

A PIA is a practical business tool in your healthcare practice.

A PIA is an important tool that you can use to help you with that project management.

It will help you anticipate risks to the project before it starts and avoid serious problems, wasted time and money.

The PIA process requires you to have written policies and procedures so that you can implement the project effectively and train your staff consistently. Sometimes a PIA is a requirement of legislation. But it is always a best practice whenever you implement a project that includes personal health information.

Watch the video now to take a look at what is a PIA, what will a PIA do for you, and when you need a PIA. Just click on the image above to play the video.

Would you like more information about Privacy Impact Assessments for your healthcare practice?

By entering your email address above, you are requesting about upcoming training and related resources. You can opt out at any time, and we'll never rent or sell your email address.

health care, Health Information Act, healthcare, HIA, Netcare, PIA, privacy, Privacy Impact Assessment, What is a PIA?, what is a privacy impact assessment

The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

Posted on November 29, 2018 by Jean Eaton in Blog

In order to provide services, healthcare practices must collect pertinent information from patients. This data gathering often includes many sources of information, across different types of technology, among multiple vendors. Good business practices and health records management is supported by three agreements your healthcare must have: information manager agreement (IMA), information sharing agreement (ISA), and successor custodian agreement.

For instance, when a patient attends a clinic, their details are nearly always entered into a computer software program to maintain demographic information, manage patient appointments, and to process payments. Often, health service providers (including physicians, pharmacists, chiropractors, dentists, psychiatrists and more) record their patients’ notes into an electronic medical record (EMR).

Patient information is shared between providers where required. For example, when the patient visits a diagnostic lab for testing, results are often transmitted electronically to the ordering physician’s fax machine or to the EMR.

Custodians including physicians, pharmacists, chiropractors, dentists, and psychiatrists, as defined by the Alberta’s Health Information Act (HIA), must follow HIA legislation when they collect, use, and disclose health information.

Often, custodians are also the owners of independent healthcare practices. However, an owner of a healthcare practice is not the custodian if they are not also an active member of a regulated health profession named as custodians in the HIA.

1. Information Manager Agreement

The HIA allows custodians to contract with other health service providers and vendors for the purposes of providing information management or information technology services, so patients can receive health services, and make payments. This often requires the custodian to share patient information with a vendor (or give them access to) so the vendor can process, store, or provide information as needed.

The custodian selects one or more business to provide the services, equipment, or software to assist in the management of health information. For example: EMR provider, contracted transcriptionist, billing agent, remote backup service, etc. These businesses are known in the HIA as information managers.

Before sharing health information with someone else, the custodian must ensure that the partners and vendors have reasonable safeguards in place to protect sensitive health information. The custodians must ensure that there is a written agreement between the custodian and the information manager. These agreements are known as “Information Manager Agreements.” This requirement is stated in the HIA section 66(2).

The Information Manager Agreement (IMA) is one of three crucial agreements a healthcare practice must have in place.

If You Don’t Have an IMA

If you are a custodian who uses vendors as part of your business and you do not have an IMA with that vendor…

You are in breach of the HIA.
You may incur fines under the HIA.
You may face sanctions and disciplinary actions from your professional regulatory college.
Almost certainly, you will encounter conflicts, poor communication, between yourself and the vendor(s) and the other participating custodians in your practice.
You may lose control of the health information as reported in the Investigation Report H2013-IR-01from the Alberta Office of the Information and Privacy Commissioner (OIPC).

In a press release from the Alberta OIPC in 2013, Information and Privacy Commissioner Jill Clayton noted that:

“The HIA allows custodians to disclose health information to IT service providers, such as EMR vendors, under an appropriate Information Manager Agreement. When custodians do not sign these agreements, they may find themselves in the unfortunate position of losing control over the health information they need to provide health services.”

Investigation Report H2013-IR-01 (https://www.oipc.ab.ca/news-and-events/news-releases/2013/investigation-report-h2013-ir-01.aspx)

Who Must Create the Information Manager Agreement?

The custodian is responsible to ensure that there is an appropriate IMA created and signed.

The information manager can assist the custodian by preparing templates of the IMA including specific details of the services that they will provide and the safeguards that the vendor will implement to protect personal health information.

Key Points About IMAs

A few important notes about IMAs.

IMA must be signed by the custodian.
Agreements signed by individuals who are not custodians are not valid under the HIA.
Custodians are required under the HIA to have an IMA with the vendor before disclosing health information. If there is no agreement in place, the custodian is in breach of the HIA.
Custodians are responsible for the health information that they collect, use, and disclose. Therefore, the custodian is responsible for the IMA and to ensure that the health information will be handled confidently and securely.

Key Points IMA

The custodian can select the best vendor and information manager for the job. The vendor who understands the requirements of the HIA and who can demonstrate that they have implemented the appropriate reasonable safeguards and can assist the custodian to develop an appropriate IMA is, in my opinion, demonstrating a significant competitive advantage.

All healthcare providers in a community practice should spend time when creating their business to establish good business practices, including developing written contracts and agreements to improve the efficiency of the business and to make things happen in the way that they are planned.

Here is a common example

Dr. Alice and Dr. Mark created a welcoming family medical practice in a new sub-division of their city. They each worked hard to attract new patients, hire and train staff, and develop a profitable business.

In the last few years, Alice and Mark had differences of opinion on how to grow their business. In the end, Alice decided that this type of practice wasn’t for her. She decided to leave and join a larger practice in a neighbouring subdivision. Alice wanted to take her patient’s records with her to her new practice and continue to see her patients at the new location.

Mark, who had signed the IMA with the EMR vendor, did not agree to Alice’s request to transfer her patient records to her new group practice.

Alice and Mark argued and eventually involved a professional mediator to help them resolve their business conflict. Hurt feelings between the providers and staff, costly delays in their business and expenses could have been avoided if Alice and Mark had established clear expectations in the event of the termination of their business partnership when they started their group practice. An IMA between custodians in a group practice is a recommended best practice.

When You Have Multiple Custodians in Your Healthcare Practice

When the practice has multiple providers, the owner and custodian frequently assumes responsibility for maintaining the contracts and IMAs with the vendors. Each of the participating healthcare providers may delegate the responsibility of maintaining the vendor arrangements to the custodian owner. This can be achieved with an IMA between the owner / custodian and each participating custodian.

Custodian Owner IMA

Each healthcare provider custodian is considered the custodian of the health information that they collect. The custodians can jointly agree to all use the same EMR. This provides continuity of care for the patients and economy of scale for the participants of the practice.

When the owner/custodian signs the agreement with the EMR, they become the signatory custodian. The EMR vendor takes their instructions from the signatory custodian.

The owner / custodian is now an information manager for all the participating custodians. but does not become a custodian of the health information provided to them in their roles as an information manager.

For example,

Dr. Bill opened his medical practice, ABC Clinic. Later, additional physicians were recruited to work at ABC Clinic. The physicians are each custodians as defined by the HIA.

Dr. Bill assumes the responsibility for the operations of the clinic including the computer network and the contract with the EMR vendor. Dr. Bill is the information manager for the patient records at the clinic.

Each physician signs an IMA with Dr. Bill and agree that he will continue to manage the patient records on their behalf. Dr. Bill is operating as an information manager.

In his role of the information manager, Dr. Bill must follow the instructions from each physician, the custodian, as it relates to the management of their patients’ records.

2. Information Sharing Agreement (ISA)

When you have more than one physician in your practice, you need an agreement about how you will decide to manage the personal health information in your practice.

An Information Sharing Agreement (ISA) focuses on the internal decision making about all things related to personal health information whereas, an IMA is an agreement with a single vendor about the services that the vendor provides.

ISA IMA

An ISA may include things related to the services that a vendor provides but is not limited to just vendor services.

It also includes decisions about the process to ensure appropriate role based access to personal health information in the EMR, computer network, and paper formats; the regular review of health information privacy and security policies and procedures, ensuring privacy and security awareness training, the regular review of administrative, technical, and physical safeguards in the practice, and so on.

In larger organizations or when several smaller organizations participate in an information sharing initiative, a Data Management Committee may provide oversight and facilitate this process.

An ISA is a requirement of the College of Physicians and Surgeons of Alberta.

Identifying a successor custodian is also a requirement of the College of Physicians and Surgeons (CPSA).

3. Successor Custodianship Agreement

As a business owner, you need to plan a successor to the business. This might be an interim or short-term decision to ensure continuity during an absence or future retirement planning or unexpected illness or death.

In healthcare, physicians and custodians have the added responsibility as the ‘gatekeeper’ for patient records. In the event of a sudden inability to meet these responsibilities, physicians need to identify a successor custodian to ensure appropriate and continued access by patients to their health information for their continuing care and treatment and to ensure that the continuing confidentiality, security, and access to patient records continue to be fulfilled.

Have you identified a successor custodian? Each of the physicians in your group practice should also identify their own successor custodian.

This is a CPSA requirement and should also be included in the Privacy Impact Assessment if you have this information available. See CPSA, Patient Record Retention, s.5:

A regulated member acting as a custodian must designate a successor custodian to ensure the retention and accessibility of patient records in the event the regulated member is unable to continue as custodian. (Reference: Health Information Act Section 35(1)(q)

If you are a chiropractor, the Alberta College and Association of Chiropractors (ACAC) further requires its members to name a chiropractor as the successor custodian to maintain the status of ‘chiropractic’ records. (See the ACAC’s Standards of Practice s5.3 Custodianship of Health Records.)

A chiropractor, as a custodian of health records, is responsible for the care and control of the health records in their practices as required by the Health Information Act of Alberta. A custodian of active chiropractic files must be under the custody or control of an active, registered member of the ACAC.

Note that under the Health Information Act, a chiropractor may disclose files to another custodian who is not a chiropractor, and only a chiropractor may have custody or control of chiropractic files. Chiropractic files disclosed to a non-chiropractor should no longer be considered chiropractic files.

A custodian must implement technical and physical safeguards to protect the confidentiality of the information and privacy of individuals as well as protections against reasonably anticipated threats to the security or integrity of the information. A custodian must also defend against unauthorized uses, disclosures or modifications of the information. Safeguards must be periodically assessed and documented in policies and procedures.

If you are working in an owner/custodian scenario discussed above, clearly identifying a successor custodian becomes imperative. An unplanned absence of the owner / custodian can seriously jeopardize the business and the continuing care and treatment of patients.

The custodian can, but is not required to, name another custodian in the same practice to be their successor. Whatever your decision, ensure that this is well documented and easily accessible to the other custodians and key decision makers in your organization in the event of an emergency.

The best time to create IMA, ISA, and Successor Custodianship Agreements is when you start your healthcare business.

The second best time in now.

What are you waiting for?

If you need assistance, contact Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor with Information Managers. I’m here to help you with your Practice Management Success.

Download the FREE Report - Top 3 Agreements Your Healthcare Practice MUST Have

If you are a member of Practice Management Success, login here to access the Top 3 Agreements.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

chiropractors, dentists, health care, Health Information Act, healthcare, HIA, IMA, information management agreement, information manager agreement, information sharing agreement, ISA, medical, physicians, Practice Management Success, successor custodian

Mandatory Privacy Breach Reporting Comes to Alberta!

Posted on July 30, 2018 by Jean Eaton in Blog

I didn't think it was going to happen . . . but it did!

Mandatory privacy breach reporting has been proclaimed in Alberta.

In May of 2018, the province of Alberta proclaimed mandatory breach reporting amendments to the Health Information Act (HIA) and the Health Information Regulation (HIR). These amendments were accepted by the Legislative Assembly in 2014 and will come into force on August 31, 2018.

Custodians will be required to report privacy breaches with risk of harm to the Office of the Information and Privacy Commissioner (OIPC) and the Minister of Health of Alberta. Currently, breach notification is voluntary.

This will impact ALL custodians including physicians, pharmacists, chiropractors, dentists, dental hygienists, podiatrists, midwives, optometrists, opticians, registered nurses and more!

What is a Privacy Breach?

A privacy breach is a loss, unauthorized access to, unauthorized use, unauthorized disclosure, authorized access for unauthorized use of personal information.

Personal information may include your name, date of birth, address, account information, or even your email address.

Why is a Privacy Breach a Significant Problem?

A privacy breach affects the individual, the business, and the healthcare industry.

There is an active market for personal identities, with great financial incentive to steal or misuse this personal information. In fact, healthcare data is more valuable than financial information. Once someone has access to personal health information, they can use it to make a fraudulent insurance claims, access to services, and leverage the information for identity theft and fraud. Healthcare providers are a high-value target because of the long-term value of health information.

Privacy breaches happen all the time. Did you know that 80% of all privacy breaches occur internal to the business? Most of these breaches are an ‘oops’ or honest mistakes or a result of not carefully following procedures. Sometimes there is a pattern of similar breaches that indicate a broken work flow or automated process or carelessness or disregard to the security of personal information.

Sometimes information is intentionally stolen to harm a specific person or for financial gain. Sometimes the theft is by employees and sometimes by visitors to the business. Sometimes the theft occurs from outside of the business (i.e. hackers, contracted service providers, or business agents).

The individual may be embarrassed, inconvenienced, or angry directly related to what information has been breached and who now has access to the information. The individual may now be at a real risk of harm from identity theft, stalking, loss of employment, fraud, and the unexpected expense to manage the loss of personal information. These are examples of ‘risk of significant harm’.

Of particular importance in healthcare, is the risk of medical identity theft where the breached information is used to fraudulently access healthcare services. As a result of this, inaccurate information may be added to the owner’s healthcare records which can cause errors or delays in receiving necessary care and treatment.

Managing a Privacy Breach is Expensive

The healthcare business can spend $150 to $2,000 or more for each individual that requires notification about a privacy breach. When a privacy breach is identified, the business must (with some few exceptions) notify the individuals affected (including the patient and the healthcare providers identified in the breach) to let them know about the breach, advise them how they might be affected by the breach, and how they can protect themselves from further harm.

Your internal privacy beach investigation takes time and may require additional support from external experts including a consulting privacy officer, lawyer, investigator, human resources, communications and marketing experts.

The process of managing the notification also costs time, resources, and money. The incident might cause negative publicity for the business. Addressing and correcting the cause of the breach, improving processes to prevent further incidents, and the administrative tasks of managing and reporting the breach all contribute to a significant expense to the business.

Why Have Mandatory Privacy Breach Reporting?

A privacy breach in one healthcare organization affects all healthcare businesses. The healthcare system is a highly integrated information sharing system designed to provide timely and accurate care and treatment to patients, and to receive financial compensation for those services. A weakness or problem at one business may have down-stream implications to other businesses. When one business has a privacy or security breach, there is a risk that the public (including patients and clients) may think that all healthcare businesses have the same problems.

Mandatory privacy breach reporting to the Privacy Commissioner of Alberta (OIPC), and the Minister of Health in Alberta will help to ensure that the breach response and notification is comprehensive. A central oversight with the OIPC and the Minster will provide the opportunity to anticipate any additional risks to privacy and security within the broader health care system in Alberta.

It is our job to manage each privacy breach with confidence, compassion, and transparency to the individuals affected by the breach. We need to take all reasonable steps to prevent a privacy breach and be prepared to respond to the breach when it occurs.

The importance of securing health information and to appear to appropriately respond to a privacy breach is part of the desired outcomes of the new mandatory privacy breach reporting.

Notification Triggers

The trigger for notifying the OIPC, the Minister, and individuals about an incident is present when there is a ‘risk of harm’ to an individual as result of the loss or unauthorized disclosure (HIA s. 60.1(4).

Custodians are required to consider five categories of triggers to assess the likelihood of risk of harm (HIR s.8.1(a to e)). In addition to any other relevant factors, custodians must assess if there is a reasonable basis to believe that the information:

Has been or may be accessed by or disclosed to a person
Has been misused or will be misused
Could be used for the purpose of identity theft or to commit fraud
Could cause embarrassment or physical, mental or financial harm or damage to the reputation of the individual who is the subject of the information
Has adversely affected or will adversely affect the provision of a health service to the individual who is the subject of the information

Mitigating Risk of Harm

When custodians implement reasonable safeguards as part of their routine privacy and security strategies, the likelihood of risk of harm is reduced. These situations (HIR s.8.1(f to i)) occur when the information included in the loss or unauthorized access has been

Encrypted or otherwise secured (applicable to electronic information), or
Destroyed or rendered inaccessible

When information is lost or disclosed and subsequently recovered by the custodian, and the custodian can demonstrate:

The information was not accessed before it was recovered, or
The only person who access the information is a custodian, affiliate, information manager subject to section 60 of the Act or,
Accessed the information as part of their role as a custodian or affiliate and not for an improper use and
Did not improperly use or disclose the information,

the custodian is not required to give notice of the loss or unauthorized access or disclosure under HIA s.60.1(2).

Remember that the custodian must record each privacy breach in their practice including their reasons for their decision to notify and their decision not to notify.

When you record each privacy breach, including ‘oops’, errors, or mistakes that, individually, may not trigger notification requirements, you may find that there is a pattern of breaches that may indicate:

broken work flow, or
broken automated process, or
carelessness or disregard to the security of personal information.

These situations may trigger mandatory privacy breach notification requirements.

It's an Offence to Fail to Protect Personal Health Information

The new amendments detail the reporting responsibilities of custodians and affiliates in the event of a privacy breach.

For Custodians

The new regulations also include new penalties for custodians and affiliates who:

Fail to report a breach
Fail to take reasonable steps to maintain safeguards to protect health information, which includes administrative, technical and physical safeguards (HIA s.107(1.1)(a))

A custodian or affiliate found guilty of one of the above offences can face a fine of up to $50,000 per occurrence.

For Affiliates

Affiliates (generally, the employees of the custodian) must report any loss, unauthorized access or disclosure of identifying health information to their custodian. This applies to information managers (vendors and service providers to custodians), too.

New Notification Requirements

If the custodian believes the breach could result in harm to the individual, the custodian, as soon as practicable, is required to notify (HIA s60.1):

The Privacy Commissioner of Alberta (OIPC), and the
Minister of Health in Alberta and
The Individual(s) affected by the privacy breach

Don’t forget that there continues to be other people you may need to notify. Depending on the unique circumstances this may include the police, insurance, primary care networks, Netcare, and other information sharing partners.

The notice to the Privacy Commissioner of Alberta (OIPC) must be in writing in a form approved by the Commissioner and must include (HIR s.8.2(2)):

Name of the custodian
Description of the circumstances
Date or time period which the incident occurred
Date which the incident was discovered
Description of the type of information that was lost, accessed, or disclosed
Risk of harm to an individual and an explanation of how the risk of harm was assessed
Number of individuals affected by the incident
Description of the steps that the custodian has or intends to take to reduce the risk of harm
Plans to prevent the risk of future loss, or unauthorized access or disclosure
Copy of the notice that will be provided to the individual(s) and a description of how the notice will be provided directly or by substitutional service
- If the custodian believes that notifying the individual about the incident may result in harm to the individual, the custodian must immediately notify the Commissioner (HIA s.60.1(5))
Contact information for the custodian or their responsible affiliate (privacy officer)
Any other relevant information

The notice to the Minister of Health in Alberta must be in writing in a form approved by the Minister and must include (HIR s.8.3):

Name of the custodian
Description of the circumstances
Description of the type of information that was lost, accessed, or disclosed
Risk of harm to an individual and an explanation of how the risk of harm was assessed
Number of individuals affected by the incident
Description of the steps that the custodian has or intends to take to reduce the risk of harm
Contact information for the custodian or their responsible affiliate (privacy officer)
Any other relevant information

The notice to the individual must be in writing and include (HIR s.8.4):

Description of the circumstances
Date or time period which the incident occurred
Name of the custodian
Description of the type of information that was lost, accessed, or disclosed
Risk of harm to an individual and an explanation of how the risk of harm was assessed
Description of the steps that the custodian has or intends to take to reduce the risk of harm to the individual
Plans to prevent the risk of future loss, or unauthorized access or disclosure
Advice that the custodian believes the individual may be able to take to reduce the risk of harm to the individual
A statement that the individual may ask the Commissioner to investigate the incident and the contact information of the OIPC
Contact information for the custodian or their responsible affiliate (privacy officer)
Any other relevant information

Your Next Steps

Prepare your Privacy Breach Management Program in your healthcare practice. Review (or create) your privacy breach management program including these 5 key elements:

Privacy breach management policy
Privacy and security incident response plan
Training for your privacy officer, management team, and custodians
Human resources privacy breach discipline policy and
Privacy breach reporting record keeping procedures

If you are a privacy officer, clinic manager, or healthcare provider you can prevent privacy breach pain with the “4 Step Response Plan”.

This on-line education with quick and helpful videos, examples, policy templates, privacy breach reporting templates, and risk of significant harm templates will guide you to properly manage a privacy breach, create your Privacy Breach Management Program, and be prepared for Mandatory Privacy Breach Notification requirements.

This is critical to the continued success of your business!

See: https://InformationManagers.ca/4-step

References

These amendments were passed under the Statutes Amendments Act, 2014 in May 2014 and will be proclaimed in force August 31, 2018

Health Information Amendment Regulation

Office of the Information and Privacy Commissioner

Statutes Amendment Act, 2014, Chapter 8, Health Information Act

You need to know how mandatory privacy breach reporting will affect you!

Don't miss this!

Stay up to date on mandatory privacy breach reporting! Sign up here to receive tips, tools, templates, and training when they become available.

You will also receive occasional bits of FREE privacy wisdom tips, tools, templates, and training!

PRIVACY NUGGETS emails designed to provide to you tips, tools, templates and training that you can use right away!

Privacy Nuggets will be provided direct to your email in-box and includes:

privacy tips, tools, templates (usually including references to external resources) designed for you to share with your staff, patients, and family.
Privacy Breaches – What You Need to Know – you will receive an example of a recent privacy breach in the news that you can use to review and improve your practices. Learn from someone else's mistakes!
publication previews and announcements
workshop and webinar events

I am honoured that you choose to spend your time with me today.

Thank you for the opportunity to share my obsession about privacy, confidentiality and security with you!

I promise this list will be secure and you'll be able to unsubscribe at any time.

– Jean L. Eaton, Your Practical Privacy Coach

Alberta, Health Information Act, mandatory privacy breach reporting, privacy breach investigation, privacy breach notification, privacy nuggets

How Do You Declare as an Affiliate?

Posted on March 20, 2018 by Jean Eaton in Blog

Have you ever said,

“If only I had someone to ask . . . !”

Each month, we discuss your questions about practice management, human resources issues, clinic management best practices, procedures, resources, practical privacy tips, and more in Practice Management Success membership.

In this Q&A, we're talking about:

Q1: When you have multiple custodians in your practice, when and how does a custodian declare themselves as an affiliate?

Q2: What is the importance of the audit log in your EMR?

Q3: Do you have a privacy officer? Roles and Responsibilities of a Privacy Officer.

Q4: When a new physician / custodian joins your practice what forms do they need to complete?

Q5: How to report a patient demographic error in Netcare.

If you are a member of Practice Management Success, login and join me now on the webinar. The replay will be available in your membership area.

Not a member of Practice Management Success, yet?

What are you waiting for?

Get Your Practice Management Success membership

When might a custodian want to declare as an affiliate?

Individual custodians working for Alberta Health Services or other large health authorities
Team or group practice where there is a lead custodian.
Short–term contract relationship where the custodian joins a practice, for example, maternity leave coverage, or rural or contract practice
Custodian prefers an ‘employee’ relationship, for example,
- registered nurse working in a physician group practice,
- dental hygienist working in a dental practice

When a custodian is not working in the capacity of a custodian, or wishes to work as an affiliate AND there is another custodian who will assume the responsibility of a custodian, then the custodian can declare themselves as an affiliate to that named custodian.

I prefer to include the declaration as part of the Oath of Confidentiality process. You could choose to do this as a separate process –just make sure to document the declaration and keep it in your clinic business files!

affiliate, custodian, declare as an affiliate, Health Information Act, Practice Management Success

3 Parts to Every Privacy Awareness Training Plan

Posted on March 20, 2018 by Jean Eaton in Blog

Reasonable Safeguards – the Myth

You may have heard the myth that the Health Information Act (HIA) is a big scary thing that will interrupt your routine, rob you of countless billable hours, impact all of your staff, turn your office inside out, and change the way that you run your entire business!

Myth Buster

The HIA provides structure and framework for reasonable safeguards that apply to any healthcare business.

One of the requirements of reasonable safeguards includes having a privacy awareness training plan.

Privacy Awareness Training

Your Privacy Awareness Training Plan should include learning objectives throughout the year, including

Orientation – Standardized training curriculum provided to everyone in you healthcare practice at the time of employment. This is often included during a new employee’s orientation period.
Specific – Privacy training that is more detailed and specific to the roles and responsibilities of that individual’s job in your healthcare practice. There may also be specific training when new software, technology, or procedures are introduced anytime throughout the employment.
Reward – Keep privacy awareness top of mind all year long. Recognize and reward when individuals follow privacy principles that also add value to your client satisfaction or business efficiency.

It is reasonable to expect regular privacy awareness training, especially at orientation, and a formal review annually.

What a Privacy Awareness Training Plan Can Do For You

When you implement regular privacy awareness training, you will see:

Privacy and security expectations clearly communicated among your team.
Team members demonstrate their commitment to privacy, confidentiality, security of personal health information.
Efficient practices that protect the privacy and save you time and money
Team members confidently and correctly handle personal health information using reasonable safeguards

Are You a Myth-Buster?

You can be a myth-buster, too, and implement privacy awareness training in your healthcare practice.

You can easily implement reasonable safeguards and meet HIA requirements to ensure privacy, confidentiality, and security of health information that saves you time, frustration and money.

If you need a little help, I have written a practical privacy awareness training course designed for the community health care practice. This is ideal for orientation of new employees and a refresher for the rest of us.

Privacy Awareness in Healthcare: Essentials

Understand basic health care privacy principles and how to handle personal information, use safeguards, and recognize and report a privacy breach. Ideal for Alberta- and Ontario-based health care professionals and staff, direct care providers, or anyone working with a health care or social services organization.

Privacy Awareness in Healthcare: Essentials

Grab your on-line course from Information Managers and Corridor Interactive for just $25 per person now!

Click Here to Grab Your On-Line Privacy Awareness Course Now!

Alberta, Health Information Act, Ontario, privacy awareness training, reasonable safeguards

What is an Information Manager Agreement (IMA)?

Posted on October 25, 2017 by Jean Eaton in Blog

Having a clear agreement of how patient records will be maintained to ensure privacy, security, and confidentiality in a paper based patient record or in a shared EMR database is the objective of an Information Manager Agreement. This may also be called a Data Sharing Agreement, Information Sharing Agreement, or Business Associate Agreement.

Prenuptial Agreement

In a group healthcare practice, have a clear understanding in writing that sets out how patient records will be collected, used, and disclosed during the group practice is critical to the security of the patient information, health service provider information, and good will between members of the group practice. Think of this as the ‘prenuptial' agreement in your business relationship.

Who is an Information Manager?

In Alberta, the Health Information Act (HIA) defines an information manager. Generally, it is a special kind of an affiliate, usually a business or a vendor, who provides a service that does some specific task (authorized by the custodian) with health information. This could be a billing agent, accredited billing submitter, outsourced transcriptionist, EMR vendor or other service provider.

If you are using an EMR vendor, the named individuals on the IMA are the only persons that the software vendor can receive instructions on how to manage the records in the database. Often, this is the physician lead and business owner.

Sometimes, the custodian is also the information manager. For example, a physician (custodian) and business owner may assume the responsibility of ensuring the security of all the patient records authored by other custodians in the group practice. The physician / custodian / business owner / information manager must follow all the rules of the IMA and HIA.

Not every healthcare practice has an information manager. Some group practices have many information mangers providing different services. There are many details and options to consider. The discussion–and then putting it in writing–is the key to positive business relationship and secure records management.

Avoid surprises – and nasty exits

Some tips to prevent surprises:

Take a pro-active privacy role and inform patients how their information will be protected during the routine practice operations and when healthcare providers are added to – or leave – the practice.
Decide how you are going to decide about the on-going operational changes to how the software will be used in your practice.
Identify in the EMR software who is the primary (or default) healthcare provider for each patient. Talk with your software vendor how best to record this.

It’s never too late to start! If you missed creating an Information Management Agreement or Data Sharing Agreement in your group practice, do it now!

See the Digital Resources for samples that you can use.

Clinic on the Infographic to download

Download our Infographic, “What is an IMA?”

Watch the Video

business arrangement agreement, data sharing agreement, Health Information Act, HIA, IMA, information manager agreement, information sharing agreement, PIA, Practical Privacy Coach, Privacy Impact Assessment

Why You Need Privacy Awareness Training

Posted on May 15, 2017 by Jean Eaton in Blog

There are many examples of privacy breaches internal to healthcare organizations–Snooping. Hacking. Unsecure emails with patient information. Faxes sent to the wrong person. Patient records found in garbage cans. Ransomware. Mobile devices without encryption being lost or stolen.

Privacy legislation, professional standards and best practices require healthcare professionals and their employees and business associates to protect against reasonably anticipated threats to the security and confidentiality of health information.

Privacy in healthcare is important.

A Privacy Breach Affects the Individual, the Business, and the Healthcare Industry

After a privacy breach, the individual may now be at a real risk of significant harm (ROSH) from identity theft, stalking, loss of employment, and financial loss if the information is used for fraud.

The individual affected by the privacy breach may be embarrassed, inconvenienced, or angry.

Of importance in healthcare is the risk of medical identity theft where the breached information is used to fraudulently access healthcare services. Because of this, inaccurate information added to the owner’s healthcare records which can cause errors or delays in receiving necessary care and treatment.

Without privacy awareness training

Privacy breaches are expensive –bad publicity, loss of business, loss of goodwill, fines, penalties, and sanctions. Ontario PHIPA legislation, for example, has recently doubled its fines. Personal Health Information Protection Act (PHIPA) including Bill 119, the Health Information Protection Act (HIPA) – Amendments to the Personal Health Information Protection Act (PHIPA) which was proclaimed in 2016. With the introduction of Bill 119, the fines for offences have doubled from $50,000 to $100,000 for individuals and $250,000 to $500,000 for organizations.

Privacy breaches affect all healthcare businesses. The healthcare system is a highly integrated information sharing system designed to provide timely and accurate care and treatment to patients, and to receive financial compensation for those services. A weakness or problem at one business may have down-stream implications to other businesses. When one business has a privacy or security breach, there is a risk that the public (including patients and clients) may think that all healthcare businesses have the same problems.

Privacy Awareness Week #PAW2017

Privacy Awareness Week (May 15-21) is a global effort coordinated by members of the Asia Pacific Privacy Authorities (APPA) to promote awareness of privacy issues and the importance of the protection of personal information. Each year various members of APPA and other supporters across the world develop resources and communications materials to support their activities during Privacy Awareness Week.

Pause for Privacy #PAW2017

Why Invest in Training?

New technology, regulatory and legislative changes, and new office procedures are common triggers to provide training in any business. Your employees need to learn these skills so that they can be efficient at their jobs. When you provide training, you give employees the tools that they need to succeed and contribute to an efficient practice.

As an employer and healthcare provider, you are responsible to provide training to all your employees about privacy awareness.

There are many examples of privacy breaches that dispel the myth that someone who has worked in healthcare for a long time, or has had advanced university training and professional ethics automatically understand how to properly manage personal health information. We know that errors in judgment and malicious intent can occur at every level of a healthcare organization. A common, comprehensive privacy awareness training provides a foundation for everyone in the organization to confidently and properly handle personal health information. A documented program will help to mitigate the risks to an organization when an individual jeopardizes personal health information even after receiving privacy awareness training.

[clickToTweet tweet=”Myth: Experienced healthcare workers automatically understand how to properly manage personal health information #PHI” quote=”Myth: Experienced healthcare workers automatically understand how to properly manage personal health information.”]

What is the Best Way to Provide Training?

The best privacy awareness training program includes a mix of formal, planned training programs and episodic, just in time, targeted education opportunities. Consider a privacy awareness training program strategy that includes:

Privacy awareness foundation – in-person or on-line for everyone in your practice including new employees, healthcare professionals, support team, vendors and business associates.
Specific training – when there is new or changes in software, equipment, procedures or practices, employee promotion or change in roles.
General reminders throughout the year in fun and multi-media formats; quizzes, posters, articles, training tips at staff meetings, frequently asked questions (FAQ), etc.
Demonstrate good privacy and security practices and behaviours throughout the year.
Recognize when individuals demonstrate following privacy principles that also add value to your patient satisfaction or business efficiency.

Benefits of Privacy Awareness Training

Privacy awareness training is needed in your healthcare practice to

Understand patient and client privacy rights.
Respect personal health information and your obligations.
Confidently and correctly handle personal health information.
Use reasonable safeguards to protect personal health information (PHI).
Recognize and respond to a privacy breach
Support key policies, procedures and risk management programs in your healthcare practice.

Benefits of Privacy Awareness Training

Regular privacy awareness training is considered a common reasonable safeguard to protect patient information and the reputation of the healthcare providers.

Many privacy breaches are avoidable. Privacy awareness training can help prevent privacy breaches or help employees to spot and stop the breach quickly.

Initiatives like Privacy Awareness Week also provide additional tips, templates, tools, and training from supporters of this event. You can follow Privacy Awareness Week on Twitter using the hashtag #PAW2017 and #PrivacyAware.

In conjunction with Privacy Awareness Week, Information Managers www.InformationManagers.ca and Corridor Interactive www.CorridorInteractive.com have announced the release of the newest addition of the “Privacy Awareness in Healthcare: Essentials” series with a focus on Ontario’s Personal Health Information Protection Act (PHIPA) legislation. The first on-line privacy awareness training in this series released in 2016 focused on Alberta’s Health Information Act. Many other provinces have health information legislation as well, and while some of the key terms differ from province to province, this privacy awareness training is applicable to any organization that collects, uses, and discloses personally identifying information.

More information can be found here https://InformationManagers.ca/Privacy-Awareness-Corridor/.

#PAW2017, #PrivacyAware, Corridor Interactive, Health Information Act, healthcare, medical, Personal Health Information Protection Act (PHIPA), Privacy Awareness in Healthcare: Essentials, privacy awareness training, privacy awareness training in healthcare, Privacy Awareness Week

Do You Need a New PIA When You Open a New Location?

Posted on August 30, 2016 by Jean Eaton in Blog

Congratulations! You are expanding to a new location!

Do you have a PIA for that?

When a physician or another healthcare provider opens another location and both locations are remarkably similar – same employer, same ownership, same EMR and backup practices, etc. – then you may need to only update or amend your original Privacy Impact Assessment.

My recommendation is to review the ‘Clinic Description’ of the initial Privacy Impact Assessment and edit and update all changes.

This will help you to determine if they need a new Privacy Impact Assessment for the new location. If you have a lot of updates – you might need to prepare a Privacy Impact Assessment Amendment and include the information about your new location.

If there are no significant changes, then it may be sufficient to update the clinic description for both clinics, add the additional description of the new clinic and send a Privacy Impact Assessment Amendment to the OIPC. This can often be a letter with an attachment of the updated clinic description.

Most clinics have had, at least, a change in staffing, physicians, and privacy officers.

Has the legislation changed?

Don't forget to consider when the original Privacy Impact Assessment was completed. If it was prior to 2014 then you will need to update your policies and procedures including the amendments to Alberta's Health Information Act and Alberta Electronic Health Records Regulations.

For more information about PIA's see our introductory video.

amendment, Health Information Act, PIA, Privacy Impact Assessment

1 2 3