Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

Why You Need Privacy Awareness Training

Posted on May 15, 2017 by Jean Eaton in Blog

There are many examples of privacy breaches internal to healthcare organizations–Snooping. Hacking. Unsecure emails with patient information. Faxes sent to the wrong person. Patient records found in garbage cans. Ransomware. Mobile devices without encryption being lost or stolen.

Privacy legislation, professional standards and best practices require healthcare professionals and their employees and business associates to protect against reasonably anticipated threats to the security and confidentiality of health information.

Privacy in healthcare is important.

A Privacy Breach Affects the Individual, the Business, and the Healthcare Industry

After a privacy breach, the individual may now be at a real risk of significant harm (ROSH) from identity theft, stalking, loss of employment, and financial loss if the information is used for fraud.

The individual affected by the privacy breach may be embarrassed, inconvenienced, or angry.

Of importance in healthcare is the risk of medical identity theft where the breached information is used to fraudulently access healthcare services. Because of this, inaccurate information added to the owner’s healthcare records which can cause errors or delays in receiving necessary care and treatment.

without privacy awareness training

Without privacy awareness training

Privacy breaches are expensive –bad publicity, loss of business, loss of goodwill, fines, penalties, and sanctions. Ontario PHIPA legislation, for example, has recently doubled its fines. Personal Health Information Protection Act (PHIPA) including Bill 119, the Health Information Protection Act (HIPA) – Amendments to the Personal Health Information Protection Act (PHIPA) which was proclaimed in 2016. With the introduction of Bill 119, the fines for offences have doubled from $50,000 to $100,000 for individuals and $250,000 to $500,000 for organizations.

Privacy breaches affect all healthcare businesses. The healthcare system is a highly integrated information sharing system designed to provide timely and accurate care and treatment to patients, and to receive financial compensation for those services. A weakness or problem at one business may have down-stream implications to other businesses. When one business has a privacy or security breach, there is a risk that the public (including patients and clients) may think that all healthcare businesses have the same problems.

Privacy Awareness Week #PAW2017

Privacy Awareness Week (May 15-21) is a global effort coordinated by members of the Asia Pacific Privacy Authorities (APPA) to promote awareness of privacy issues and the importance of the protection of personal information. Each year various members of APPA and other supporters across the world develop resources and communications materials to support their activities during Privacy Awareness Week.

 

Pause for Privacy

Pause for Privacy #PAW2017

 

Why Invest in Training?

New technology, regulatory and legislative changes, and new office procedures are common triggers to provide training in any business. Your employees need to learn these skills so that they can be efficient at their jobs. When you provide training, you give employees the tools that they need to succeed and contribute to an efficient practice.

As an employer and healthcare provider, you are responsible to provide training to all your employees about privacy awareness.

There are many examples of privacy breaches that dispel the myth that someone who has worked in healthcare for a long time, or has had advanced university training and professional ethics automatically understand how to properly manage personal health information. We know that errors in judgment and malicious intent can occur at every level of a healthcare organization. A common, comprehensive privacy awareness training provides a foundation for everyone in the organization to confidently and properly handle personal health information. A documented program will help to mitigate the risks to an organization when an individual jeopardizes personal health information even after receiving privacy awareness training.

[clickToTweet tweet=”Myth: Experienced healthcare workers automatically understand how to properly manage personal health information #PHI” quote=”Myth: Experienced healthcare workers automatically understand how to properly manage personal health information.”]

What is the Best Way to Provide Training?

The best privacy awareness training program includes a mix of formal, planned training programs and episodic, just in time, targeted education opportunities. Consider a privacy awareness training program strategy that includes:

  • Privacy awareness foundation – in-person or on-line for everyone in your practice including new employees, healthcare professionals, support team, vendors and business associates.
  • Specific training – when there is new or changes in software, equipment, procedures or practices, employee promotion or change in roles.
  • General reminders throughout the year in fun and multi-media formats; quizzes, posters, articles, training tips at staff meetings, frequently asked questions (FAQ), etc.
  • Demonstrate good privacy and security practices and behaviours throughout the year.
  • Recognize when individuals demonstrate following privacy principles that also add value to your patient satisfaction or business efficiency.

Benefits of Privacy Awareness Training

Privacy awareness training is needed in your healthcare practice to

  • Understand patient and client privacy rights.
  • Respect personal health information and your obligations.
  • Confidently and correctly handle personal health information.
  • Use reasonable safeguards to protect personal health information (PHI).
  • Recognize and respond to a privacy breach
  • Support key policies, procedures and risk management programs in your healthcare practice.
Benefits of Privacy Awareness Training

Benefits of Privacy Awareness Training

Regular privacy awareness training is considered a common reasonable safeguard to protect patient information and the reputation of the healthcare providers.

Many privacy breaches are avoidable. Privacy awareness training can help prevent privacy breaches or help employees to spot and stop the breach quickly.

 

 

Initiatives like Privacy Awareness Week also provide additional tips, templates, tools, and training from supporters of this event. You can follow Privacy Awareness Week on Twitter using the hashtag #PAW2017 and #PrivacyAware.

In conjunction with Privacy Awareness Week, Information Managers www.InformationManagers.ca and Corridor Interactive www.CorridorInteractive.com have announced the release of the newest addition of the “Privacy Awareness in Healthcare: Essentials” series with a focus on Ontario’s Personal Health Information Protection Act (PHIPA) legislation. The first on-line privacy awareness training in this series released in 2016 focused on Alberta’s Health Information Act. Many other provinces have health information legislation as well, and while some of the key terms differ from province to province, this privacy awareness training is applicable to any organization that collects, uses, and discloses personally identifying information.

More information can be found here https://InformationManagers.ca/Privacy-Awareness-Corridor/.

#PAW2017, #PrivacyAware, Corridor Interactive, Health Information Act, healthcare, medical, Personal Health Information Protection Act (PHIPA), Privacy Awareness in Healthcare: Essentials, privacy awareness training, privacy awareness training in healthcare, Privacy Awareness Week

Do You Need a New PIA When You Open a New Location?

Posted on August 30, 2016 by Jean Eaton in Blog

Congratulations! You are expanding to a new location!

Do you have a PIA for that?

When a physician or another healthcare provider opens another location and both locations are remarkably similar – same employer, same ownership, same EMR and backup practices, etc. – then you may need to only update or amend your original Privacy Impact Assessment.

My recommendation is to review the ‘Clinic Description’ of the initial Privacy Impact Assessment and edit and update all changes.

This will help you to determine if they need a new Privacy Impact Assessment for the new location. If you have a lot of updates – you might need to prepare a Privacy Impact Assessment Amendment and include the information about your new location.

If there are no significant changes, then it may be sufficient to update the clinic description for both clinics, add the additional description of the new clinic and send a Privacy Impact Assessment Amendment to the OIPC. This can often be a letter with an attachment of the updated clinic description.

Most clinics have had, at least, a change in staffing, physicians, and privacy officers.

Has the legislation changed?

Don't forget to consider when the original Privacy Impact Assessment was completed. If it was prior to 2014 then you will need to update your policies and procedures including the amendments to Alberta's Health Information Act and Alberta Electronic Health Records Regulations.

For more information about PIA's see our introductory video.

amendment, Health Information Act, PIA, Privacy Impact Assessment

Can You be Charged Under the Health Information Act ?

Posted on December 2, 2015 by Jean Eaton in Blog

If you access personal health information without authorization, this is a privacy breach.

You can be charged with a fine under the HIA and can face penalties, fines, and sanctions from your professional association.

How frequently are people being charged under the Health Information Act in Alberta for improper access to health information?

“This year alone, there has been one conviction and two charges for improper access of health information. The office is also investigating more than a dozen cases, and they all have the potential to become offence investigations.” Medical record privacy breaches an ‘epidemic' in Alberta,' says commissioner CBC News Posted Oct 15, 2015.

An investigation by the Alberta Office of the Information and Privacy Commissioner (OIPC) has resulted in 26 charges being laid against an individual under the Health Information Act (HIA) as reported in a OIPC News Release December 1, 2015. An incident at the Alberta Children’s Hospital in Calgary was reported by Alberta Health Services to the OIPC. The OIPC conducted an investigation and upon completion of the investigation charges were laid against the individual who allegedly gained access to health information in contravention of HIA.

This is the sixth time charges have been laid under provisions of HIA. The maximum penalty for each offence is $50,000.

Who is a custodian?

The custodian (as defined by HIA a ‘custodian' includes physicians, pharmacists, dentists, chiropractors, optometrists, Alberta Health Services, Minister of Alberta Health and more). The custodian is responsible to take reasonable steps prevent privacy and security breaches including providing privacy awareness training.

Do you have a privacy awareness program?

Do you have a privacy awareness program in your practice that everyone must attend? This includes healthcare providers, students, residents, office staff and, yes, even the non-patient care employees like cooks, cleaners, and maintenance staff.

Have you seen this?

Do You Need Privacy Awareness Training for Your Healthcare Practice?

 

 

fines, Health Information Act, HIA, privacy awareness training, privacy breach

Prevent Big Fines (or Worse!) for Your Healthcare Practice; Learn How to Plan a Privacy Impact Assessment

Posted on November 18, 2015 by Jean Eaton in PMN Replay, Practice Management Nugget Interview

Join us for the free webinar,

How to Plan a Privacy Impact Assessment for Your Healthcare Practice

A PIA should be as common place to a healthcare practice as a business plan is to a business. BUT most healthcare practices don't know this and often don't know that a PIA is  usually part of their professional college requirements and often even a legislated requirement! Prevent malicious errors, omissions or attacks that could result in fines and even jail time for the business, healthcare provider, employee, or vendor by completing a PIA.

You need a Privacy Impact Assessment when:

  • You  are opening a new clinic or establishing a new health services program.
  • You are changing administrative procedures or technology equipment, services, or vendors
  • You are changing how you collect and use personal information,
  • You are implementing or changing an Electronic Medical Records (EMR)
  • You are sharing health information with another healthcare provider, organization, Primary Care Network or other health program.
  • You have a Privacy Impact Assessment that was written more than 2 years ago? (It is time to review and update this!)

Doing a Privacy Impact Assessment for your practice is easy – once you figure it out.  I have helped hundreds of clients complete their Privacy Impact Assessment and visited hundreds of practices across Alberta.  I've figured it out . . . so you don't have to! Now I’m going to share with you what you need to know to plan your PIA. 

profileLadywithBriefcase_v2Jean L. Eaton, the Practical Privacy Coach, will give you an overview of the Privacy Impact Assessment process, including:

  • What is a PIA
  • When do you need a PIA
  • How to plan a PIA

You will get

  • Learning Resource Guide
  • Checklists to help you plan your PIA

This is for you if you are a healthcare provider, practice manager, or vendor that supports a healthcare provider in a group or solo practice with direct patient care, for example a:

  • Physician
  • Pharmacist
  • Registered nurse
  • Optometrist or optician
  • Chiropractor
  • Physiotherapist
  • Midwife
  • Podiatrist
  • Dentist, dental hygienist or denturist
  • Audiologist
  • Mental health practicitioner
  • Laboratory, x-ray, and imaging technician
  • Paramedic

In this FREE 30-minute Practice Management Nugget Webinar  Jean will answer your questions about planning a PIA for your healthcare practice. I have a Special BONUS Gift for those who show up live – Don't miss out and register today!

Planning a PIA for your healthcare practice is easy when you have tools, resources and the Practical Privacy Coach and Practice Management Mentor to help you.

Recorded Live Thursday, December 3, 2015

 

Watch the replay here.


Learning Guide How to Plan a PIA Information Managers

 

Health Information Act, healthcare, PIA, Practical Privacy Coach, Practice Management Mentor, Privacy Impact Assessment

Disclosure to a third party

Posted on July 30, 2014 by Jean Eaton in Blog

Patient Access to Health Records

Healthcare providers have a duty to assist the patient when the patient wants to access their own information or request that it be disclosed.

Can a patient authorize disclosure to third party?

Common requests for patient records include patients authorizing their own information to be sent to a third party. The third party – insurance agent, employer, government agency, etc – sometimes acts on behalf of the patient to request the patient’s records from their healthcare provider. The third party will often use their own forms. When the healthcare provider receives the request, they may have questions about the request.

If the custodian / physician has any questions or concerns about the request, they can (and should) get clarification before releasing the information.  You could:

a)  request the third party to provide clarification or provide a revised consent authorized by the patient or

b)  refuse the request and state the grounds (reminder – you need to state the legal authority not to process the request) or

c)  healthcare provider contact the patient directly to discuss the request to release records.  This is my personal favourite option. This meets the obligation of duty to assist, provides clarity for both the patient and the custodian about what information is (and is not) included in the response to the 3rd party.  You can have the patient book an appointment with the custodian to review the request and then update or provide a new consent to release.

Valid consent criteria

Valid consent criteria includes:

  1. Identify the individual (patient)
  2. Who has been authorized to disclose
  3. To whom
  4. Explicitly what information
  5. For what purpose
  6. Legal authority
  7. Patient acknowledgment
  8. Date, sign, valid until

‘Valid Until’

‘Valid Until’ is not a requirement under Health Information Act, however it is good practice.

The length of time ‘valid until’ is often discretionary to the custodian – often 30-90 days or whatever is reasonable to:

a) ensure that the patient authorizing the release can provide informed consent and

b) reasonable length of time to process the request (standard is 30 days turn-around to respond to a request)

A patient has the right to know how their health information is being collected, used, and disclosed. A patient has the right to access their own health information. A healthcare practice that demonstrates attention to detail, courtesy to the patient, and respect for confidentiality will also have good business practices and excellent customer service.

As a practice manager, clinic manager, healthcare provider or employee, it is your job to make sure that you know how to respond to access request, process the request, and provide good customer service. See our new series of articles, one article each week starting July 14, on the key steps in ‘Patient Access to Health Records.’

Additional resources:

Alberta Health and Wellness. HIA Guidelines and Practices Manual.

“Best of the Practice Management Nugget interviews’ will be posted next Thursday and will include the replay – and resources – for ‘Patient Access to their records’.  See informationmanagers.ca/pmn-events-live

 

Your comments and discussion are encouraged – join our new LinkedIn group, Practice Management Nuggets. When you are signed into LinkedIn, simply go to ‘interests’, ‘groups’, search for ‘Practice Management Nuggets’ and request to join.

Health Information Act, health records, patient access, patient rights, Practice Management Mentor, third party requestors, valid consent

What’s On Your Privacy & Security List for 2014?

Posted on January 6, 2014 by Jean Eaton in Blog, Past Events

Time to update your Privacy Management Program plan for 2014!

Complimentary Bonus Webinar

Clinic Manager’s Privacy & Security Top 10 List

Includes: Email security, mobile devices, managing vendor agreements, privacy breaches, privacy officer role and responsibility training and more!

Ideal for clinic manager, practice manager, privacy officer in any healthcare setting – a check list of key tasks important to your Privacy Management Program. Resources and links for additional information.

Tuesday January 14th, 2014
12:00 pm—1:00 pm MST

Register Here

* indicates required



I would also like to be contacted about:

Webinar 2014 Jan 14 at 12 noon MST

Email Format


best practice, clinic manager, Health Information Act, healthcare, practice manager, privacy, privacy and security, privacy by design, privacy management program, training

Alberta Netcare: What are your Patient Rights?

Posted on January 25, 2013 by Jean Eaton in Blog

Primary Care Providers may expect their patients to be asking more questions about Health Information in Netcare. Review this information and your policies and procedures with your staff so that you know how to respond.

In order to mark Data Privacy Day 2013 (January 28, 2013), the Information and Privacy Commissioner of Alberta, Jill Clayton, has announced a new initiative to inform Albertans about their privacy rights.

Under the authority of the Health Information Act (HIA), your health information is available through the province-wide electronic record system named Alberta Netcare. Netcare is a network of information systems that allows authorized users to see prescriptions, lab results, diagnostic images, and hospital reports. It is used throughout Alberta in hospitals, and in medical clinics and pharmacies.

Consent to have your health information in Netcare is not required by law, but you do have rights that allow you to exercise privacy control.

With the provincial electronic health record system, Alberta Netcare, you have the right to:

Know why your health information is collected and whether it is available in Netcare
Know what information about you is in Netcare by asking for a print-out
Limit access to your Netcare record by asking for your information to be masked
Know who has looked at your information in Netcare
Request that errors be corrected
Ask the Information and Privacy Commissioner to review or investigate if you are not satisfied with a decision or response you receive about any of these rights

See the OIPC webpage and contact information, visit: http://www.oipc.ab.ca/pages/HIA/NetcareKnowYourRights.aspx

To view the News Release from the OIPC, visit: http://www.oipc.ab.ca/Content_Files/Files/News/NR_Netcare_Know_Rights_Jan_2013.pdf

access, Alberta, electronic health record, Health Information Act, Netcare, OIPC, patient rights, privacy

Charges laid under the Health Information Act

Posted on October 31, 2012 by Jean Eaton in Blog

A self-reported breach by an individual to the Office of the Information and Privacy Commissioner resulted in an offence investigation being opened into suspicious access to health information. The completed investigation, after being referred to Crown prosecutors at Alberta Justice, led to thirty-one charges under the Health Information Act being laid for improperly accessing other individuals’ health information. Another charge was laid for inappropriate use of health information, another for inappropriate disclosure of health information, and one more charge for knowingly falsifying a record. In addition to these thirty-four charges under the Health Information Act, six charges were also laid under the Criminal Code.

The Calgary Herald reports that Brian Hamilton, OIPC Director for the Health Information Act, would only confirm the accused is not a doctor or other medical professional. The matter will be heard in Airdrie Provincial Court on Thursday, October 18, 2012.

The Edmonton Journal also reported that, in addition to the charges under the Health Information Act, the accused may face up to six Criminal Code charges.

Each organization has a responsibility to ensure that their employees (affiliates) receive education and training in their roles and responsibilities under the HIA. Information Managers can help you by providing training on-site and now by webinar. Click here for more information.

For more information, see:
the OIPC Website (http://www.oipc.ab.ca/Content_Files/Files/News/NR_Oct_2012.pdf)

http://www.calgaryherald.com/health/Charges+laid+improper+access+health+files/7400003/story.html

http://www.edmontonjournal.com/health/Alberta+Justice+lays+charges+improperly+accessing+health+information/7399425/story.html

access, Alberta, complaint, disclosure log, Health Information Act, HIA, improperly accessing health information, OIPC, privacy, privacy breach, training

Calgary pharmacy found in violation of patient privacy rules

Posted on October 31, 2012 by Jean Eaton in Blog

Remember the Privacy Principles – least amount of information, on a need to know basis? This recent investigation report from the OIPC reminds us to review our practices to collect information from patients to ensure that we are meeting our best practice standards.

An investigation into a southwest Calgary Co-op pharmacy has found its practice of collecting information on the immune status of an individual when they seek administration of an injection contravenes the Health Information Act.

A patient of the pharmacy contacted the privacy commissioner in April 2012 after he was presented with a form that asked if he had a condition that affects the immune system when he went to the Co-op Shawnessy Centre Pharmacy to receive a vitamin B12 injection.

The patient feared being stigmatized due to an immune disorder that he suffered from, and felt that the amount of information being demanded was excessive. He filed a complaint after being refused treatment without providing the information.

The Health Information Act specifies that custodians must only collect the most limited amount of health information to carry out an intended purpose.

For more information, see:
http://www.calgaryherald.com/health/Calgary+Pharmacy+found+violation+patient+privacy+rules/7346243/story.html

complaint, Health Information Act, HIA, OIPC, privacy, privacy principles
123

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

The Data Privacy Day E-Course was very helpful and it made you think more seriously. I actually made some changes to my computer along way.

- Danielle

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2022 Information Managers Ltd.