How To Build a Legal Foundation For Your Healthcare Practice

Posted on July 5, 2021 by Meghan in Blog

How To Build a Legal Foundation For Your Healthcare Practice

Many healthcare providers are excited to open their first independent practice but have many questions about how to build a legal foundation for their practice.

Corrine Boudreau of Online Legal Essentials can help you!

On the most recent episode of Practice Management Nuggets podcast, I interviewed Corinne Boudreau of Online Legal Essentials. Corinne has developed guided legal templates for Canadians doing business online.

Corinne has a knack for making things practical and easy to implement. Being a lawyer since 2002 has given her perspective and experience to boil things down to the essentials.

Corinne’s advice is that the essential business documents you need for a new healthcare practice are based on relationships. Relationships are triggers for business documents to help improve communication and set expectations – get it in writing!

For example:

Relationships with patients or clients

Terms of service and payments documents

Relationships with employees, contractors, associates

Hiring documents

Relationships with other healthcare providers in a group practice

Fee splitting and payment options
Cost sharing agreements

Relationships with landlords

Commercial lease agreements

Relationships with the public

Privacy policies including on your website
Copyright notices when you create and distribute your unique content

Your Big (or Small) Online Presence

Every practice needs an online presence of some kind. Maybe your brick-and-mortar local clinic only needs a simple business card presence to attract new patients and let them know how to find you. Or maybe you will offer virtual visits, online memberships or courses, or online sales of physical products. It is important to project yourself as a business owner by having a professional presence on your website – this includes having a privacy policy, copyright notice, disclaimers, and terms of use statement.

Should You Incorporate?

In the podcast, Corrine discusses corporate structure options for healthcare practices – including the difference between an incorporated business, partnership, or corporation business entities vs professional corporation when you are a member of regulated health profession.

Listen To The Podcast

What Should Healthcare Practices Know About The Legal Foundation For Their Business? | Episode #101.

Expert tips with Corinne Boudreau of Online Legal Essentials. Practice Management Nuggets For Your Healthcare Practice.

Listen To The Podcast Here

Templates Make It Easy!

You know that I love templates – and tips, tools, and training to make it easy!

Corinne delivers guided customizable templates to help you set up your business, operate your brick-and-mortar local business, or your online business!

Get started right away with the free Ultimate Checklist for Running a Business Online in Canada.

Download the free guide from Corinne here

#PracticeManagementNugget, dental, dental business, healthcare, healthcare business, legal, legal foundation, legal templates, podcast

Do Your Patients Know Your Office Holiday Hours?

Posted on June 21, 2021 by Jean Eaton in Blog

Holiday hours templates are great opportunities to easily create social media content for your healthcare practice–let your patients know about changes to your office holiday hours.

The Easy Way to Add Content to Your Social Media

One of the most frequent question that every office receives is – what are your office hours?

It makes sense to share this information in an automated way. This saves time in the telephone queue and makes everyone's day a little smoother. Add the information to your telephone answering system messages, website, posters in your clinic, and in your social media channels.

Common social media channels include Facebook, Twitter, and Instagram.

When the content appears in your social media channel, your patients will expect regular updates from you around each holiday and will return to your social media channel again and again over the year.

Let your patients know about changes to your office holiday hours!

Encourage your patients to visit your social media over and over again!
Easy for you to add content that your patients want to see.
No new technology for you to learn – copy and paste!

There is a simple way to create this content.

Follow these steps:

1. Select Your Images

You can use any related image and size it to print and display in your clinic or your social media channel.

2. Add Your Logo

You could use an image without adding your branding. But, for more impact, I recommend that you take just a few minutes and use a photo editing software to add your clinic name and logo to the image. You want the reader to know which clinic the image is about! This is also a good way to continue branding for your clinic.

There are many free and easy photo editing software systems. I like to use Canva.

Once your images are edited, download them to your computer network system.

3. Prepare Your Social Media Content

Working with your authorized social media manager, confirm your holiday hours and related messages.

Use this sample message that you will type into the new social media post.

Happy Canada Day from all of us at ABC Clinic! Please note we will be closed Thursday July xx to Monday July xx.

We will be back to regular office hours on Monday. For our latest hours of operation, please visit our website [insert website address].

4. Save Your Files

Keep a copy of your images and your social media messages for use next year.

You might store the images and your notes on a shared folder on your computer network. For example,

Social Media >> Holiday Announcements >> Month Holiday

5. Publish Your Holiday Announcements

Add your images and the messages to your website and social media channels.

You can even use the image and print as a poster to display in your practice.

Add text comment to your post. Asking a question encourages comments and engagement. For example, Summer is here! What is your favourite summer holiday tradition?

Bonus Tip!

Create more engagement with your patients and clients when you invite your staff to contribute their favourite summer holiday tradition to your social media post.

Or, create a ‘bulletin board' with your holiday hours announcement and add the quotes from your staff about their holiday traditions or their favourite picnic recipe.

Let Me Make This Easier For You!

I've found images that you can use for your office holiday hours messages.

Download the FREE Holiday Hour Templates

and receive 10 images that you can use all year long!

template

Get the Free Statutory Holidays Images Templates

Would you like more tips like this?

Members of Practice Management Success Membership enjoy access to Tips, tools, templates and training to help you start, grow, fix, or maintain your healthcare practice!

Membership is open to all healthcare practices of any size – physicians, optometrists, audiologists, dentists, chiropractors, physiotherapists, nurse practitioners, and more!

Member access to online resources when you need it along with networking and support from other clinic managers, practice managers, and healthcare providers in independent community practices – just like you!

Learn More About Practice Management Success

clinic management, facebook, healthcare, holiday hours template, medical, practice management, social media images

What Does a Ransomware Attack Look Like to Patients?

Posted on June 14, 2021 by Meghan in Blog

What Does a Ransomware Attack Look Like To Patients?

One of my favourite podcasts is Help Me with HIPAA. This weekend I listened to Episode 304 Ransomware Creates a Social Media Privacy Violation Storm while I was spring-cleaning my yard.

Donna and David discuss in (almost) real time a ransomware attack that was currently occurring at the San Diego California’s main health systems, Scripps Health. The attack resulted in practically all of its technology being taken down. The EHR went down, patient portals were down, appointments had to be rescheduled, patients had to be diverted to other hospitals… even their website was down.

This podcast episode isn’t about the technology about ransomware. Donna and David walk you through the impact on patients – from the inconvenience and frustration to the disastrous consequences of not having health information available when it is most needed.

This gripping story reveals how communication failures, systems failures and a lack of information snowballed to negatively affect patients when they needed help the most.

My Takeaways From This Help Me With HIPAA Episode

Ransomware is nefarious and its impact is far-reaching.

Patient care is compromised – patient information is not accessible, and it is unknown what information can be retrieved and, if it is retrieved, if it is complete and accurate.
Privacy breach – obviously! The hackers have patient, employee and business information and have threatened to release it publicly.
BUT – employees are also continuously breaching privacy while they are responding to patient concerns on social media DURING the ransomware attack.
Employees cannot access their information to do their jobs – work schedules, payroll, portals to perform their jobs. So, alternate, unauthorized workflows are implemented to get the job done which subsequently results in more breaches.
While the press release from Scripps Health indicates that they have trained and prepared personnel, the communication from Scripps to patients, employees, and the public has been disorganized, conflicting, and continuously breaching privacy and confidentiality.

I urge you to listen to this episode (about 30 minutes).

Listen to the Help Me With HIPAA Podcast HERE!

[Start at 18:19 minutes]

What Would You Do?

How would you and your team respond to this type of privacy breach?

Share this episode with the members of your incident response plan. Then, use the scenario to conduct a table-top privacy breach fire drill using your privacy breach management plan.

These table-top privacy breach fire drills are a great demonstration of your commitment as an organization to ensure that you are protecting the privacy confidentiality and security of health information.

Now hop over and listen to the Help Me With HIPAA episode to better understand what a ransomware attack looks like to a patient.

https://helpmewithhipaa.com/privacy-questions-everywhere-ep-304/ [Start at 18:19 minutes]

Communication, healthcare, incident response plan, Patients, privacy, ransomware, ransomware attack

Positively Represent Your Healthcare Practice with a Dress Code Policy

Posted on May 20, 2021 by Meghan in Blog

Professional Appearance Positively Represents Your Healthcare Practice

Do you have a dress code policy in your healthcare practice? You might be in the front office or a healthcare provider. You might wear uniforms, lab coats, or business clothes. Regardless of your interaction with clients, customers, suppliers, contractors, or volunteers, the appearance of employees at your business supports your business image brand.

Patients and their families have reasonable expectations that their healthcare providers and employees at the clinic present themselves in a professional manner both in demeanor and appearance.

Why have a healthcare practice dress code policy?

Dress code policies, procedures and training will help to ensure a professional and consistent appearance of employees while also positively representing and supporting your business brand.

A policy provides guidance in making choices about clothing and appearance, for all staff.
The professional appearance of your staff supports the image and positive reputation of the clinic.
Use of uniforms and name badges creates a greater level of security and recognition for staff and patients.

What are some dress code guidelines?

General Guidelines:

If you do not have direct patient contact (i.e., billing clerk, consulting pharmacist, receptionist) wearing uniforms is optional. If you choose not to wear a uniform or lab coat, consider these guidelines when choosing clothes at the office:

Name Badges:

Help to identify you to our patients and clients.
Are provided by the clinic to each employee.
These are to be worn at all times.
If you are not wearing a name badge, you may be denied entry into restricted areas of the clinic.

Shoes:

Closed toes and closed heels or heel straps.
No high heels or built-up soles such that it could endanger yourself or patients.
Non-slip footwear.

Hair:

Clean and neatly groomed.
Long hair should be tied back during patient treatment or when operating machinery.

Clothing:

Clean, neat and in good repair and allows for full performance of all duties.
T-shirts and tank tops are not permitted. Polo shirts or styled cotton tops with pockets are acceptable. Discrete, non-inflammatory images and logos are permitted.
Sweatshirts are not suitable in direct patient care areas.
Tops need to be long enough and high enough to provide adequate coverage of abdomen, back and chest.
Fragrances should be avoided.
Jewelry, tattoos and body piercings must be discrete and provide no risk to the wearer or patient.

If you have direct patient contact (i.e., physicians, MOA, nursing, physiotherapist):

Clothing must meet infection control standards for the benefit of patients and to you and your family. The type of work that you do may require additional considerations.

No artificial nails are permitted.

In the interest of health and safety of our patients and our employees, no artificial fingernails are permitted. Artificial nails have been demonstrated to interfere with effective hand washing hygiene and has contributed to healthcare acquired infections.

When we know better, we do better

Download the Practice Management Success Tip, ‘Dress Code Policy'.

Discuss with your team the importance of professional attire and overall appearance.

The free Practice Management Success Tip, Dress Code Policy, will help you

Discuss with your team the importance of professional attire and overall appearance.
Review the professional work standards expected of each staff member, regardless of their role.
Guide discussions with your team, get their feedback and input, customize a procedure that you can use right away in your practice.

Show Me The Dress Code Policy

dress code, employee training, healthcare, medical, office dress code policy, policy template, Practice Management Success

What’s New in Cybersecurity in Healthcare

Posted on May 7, 2021 by Meghan in Blog

What's New In Cybersecurity In Healthcare

What has been happening lately in cybersecurity in healthcare?

Anne Genge, CEO of Alexio Corporation is my guest on this episode of Practice Management Nuggets For Your Healthcare Practice!

Anne and Jean discuss recent privacy breach scenarios and cybersecurity trends and steps that you can take now to prevent these events to happen to you!

Virtual care, telehealth, and working from home presents opportunities – and cybersecurity risks. Digital health and digital transformation has grown rapidly in the last year. Take time now to review your practice and defend yourself from dramatic increases in cybersecurity attacks.

Anne shares expert tips on how to prevent cybersecurity attacks in your practice.

Anne Genge's #1 Tip to Healthcare Practices

Invest in a professional cyber security risk assessment for your practice. Click to Tweet

My Favorite Takeaways From The Podcast

Anne shared Top 3 Tips For an Incident Free 2021 for healthcare providers and dentists and protect your practice and your patients including these nuggets.

Secure the network
Secure the people
Disaster recovery plan

Featured Guest: Anne Genge

Anne Genge is a pioneer in protecting health data and those who use it. She is a Certified Information Privacy Professional with a specialization in dentistry. Anne also holds certifications for HIPAA, Credit Card Security, Internet, and Network Security.

Ransomware and data theft have changed the face of dentistry in the past decade meaning dentists need a new toolkit for protecting their practices.

With over 20 years of experience, Anne knows the challenges healthcare providers face with technology. She and her team at Alexio Corporation work with dental and medical professionals to minimize data risk and maximize patient care.

As healthcare grows increasingly dependent on the digital environment, cyber-security becomes increasingly more difficult. Protection of patient data is not only law, it’s imperative for business success and reputation. Anne simplifies cyber-security for dentists and other healthcare providers and gives ‘real world’ strategies to protect patient information and the practice business.

To find more, see https://getalexio.com

Email: anne@getalexio.com

Twitter @alexiocorp	LinkedIn @alexiocorporation
Instagram @alexiocorporation	Facebook @alexiocorporation

Listen To The Podcast Here

You may also be interested in:

Table-Top Privacy Breach Fire Drill

Ransomware – 6 Mistakes Made By Dentists (And Their IT!)

#PracticeManagementNugget, Alexio, Anne Genge, cybersecurity, dental, healthcare, podcast, ransomware, security risk assessment

Why Would a Dentist Want Access to the Alberta Netcare Portal?

Posted on April 27, 2021 by Meghan in Blog

Why Would A Dentist Want Access To The Alberta Netcare Portal?

As a dentist or dental hygienist, if you have concerns about a patient’s health history, you may want to have access to the Alberta Netcare Portal to view the patient's history of health concerns and current medications.

Alberta Netcare provides personal health information that is available through a province-wide electronic record system under the authority of the Health Information Act (HIA).

Whether a dentist uses paper records, electronic dental records (EDR), or electronic medical records (EMR), using the Alberta Netcare Portal will help dentists monitor their patient’s interactions with other parts of the health care system.

What is the Alberta Netcare Portal?

Alberta Netcare Portal is the secure vehicle through which patient health information from a variety of health care providers is shared and accessed electronically, by independent and hospital-based health service providers like dentists, physicians, nurses and pharmacists. The Alberta Netcare Portal is a data collection centre for registries and systems such as laboratories, diagnostic imaging facilities, hospitals and some specialized clinics. Alberta Health and Wellness is the Netcare information manager.

Dentists and Dental Hygienists Are Custodians

Dentists were designated in 2010 as authorized custodians under the Health information Act (HIA). Dentists can now request access to Alberta Netcare by showing that they meet the Netcare requirements.

Dentists who manage patients with complex medical conditions or for the provision of treatment requiring sedation or general anaesthesia may require additional information about the patients’ health history. Dentists can use Alberta Netcare Portal to view medication profiles, laboratory data and tests results.

Ensuring reasonable safeguards to protect the privacy and security of personal health information of your patients and residents of Alberta is critical! We want everyone who has access to these health data repositories to follow the same best privacy and security practices. The HIA has regulated requirements for all custodians to follow.

Everyone needs to follow the rules to play in the sandbox!

How To Get Started

Before you are granted access to Alberta Netcare Portal, you must complete the following steps.

Step 1: Create or update your Health Information Management Privacy and Security Policies and Procedures including the rules governing the access, collection, use, of health information from Alberta Netcare.

Step 2: Complete a Privacy Impact Assessment (PIA) and submit this to the Office of the Information and Privacy Commissioner for review. For more information on how to complete a PIA, click here.

Step 3: Train your team on privacy awareness. I recommend the Privacy Awareness in Health Care Training — Dental Practices.

Step 4: Contact the eHealth Netcare Support Services Team.

Step 5: Complete a Provincial Organizational Readiness Assessment (pORA). See What is a pORA.

Step 6: Sign an Informational Manager Agreement (IMA) and Review Informational Exchange Protocol (IEP) with Alberta Netcare

For more tips on implementing reasonable privacy and security safeguards for your dental practice, see https://informationmanagers.ca/privacy-impact-assessment-pia/.

You can also watch the FAQ video on this topic by clicking the button below!

Watch the FAQ Video HERE!

You May Also Be Interested In:

What is a pORA?

New Health Information Policy and Procedure Manuals

Do You Need An Expedited Netcare Privacy Impact Assessment?

Who Is Doing the Recalls In Your Dental Practice?

Privacy Awareness in Healthcare Training: Dental Practices

Privacy Impact Assessment – Consultation Options Available!

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

Alberta Netcare, ANP, dental hygienist, dentist, healthcare, PIA, PIA Consultant, privacy, Privacy Impact Assessment

Do You Need to Build A Privacy Awareness Training Plan for Your Healthcare Practice?

Posted on April 22, 2021 by Meghan in Blog

Do You Need to Build a Privacy Awareness Training Plan in your Healthcare Practice?

A practical privacy awareness training plan will save time for clinic managers, and it will manage risks with employee compliance and buy-in.

Build a privacy awareness training plan! Privacy awareness training is more than a checklist when new employees are hired.

As an employer and health care provider, you are responsible to provide training to all your employees about privacy awareness.

Your privacy officer should have direct involvement in the planning and monitoring of the privacy awareness training. The privacy officer may also:

Facilitate training opportunities
Develop / contribute to policies and procedures
Monitor for compliance
Provide instructions
Implement specific projects

If you don’t provide the training – and if your employees don’t understand the policies – and there is a privacy breach, then the healthcare provider is more likely to be held accountable under the legislation and face penalties including fines and even prison!

Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information. Healthcare businesses who want employee and supervisor level privacy awareness training to support key policies, procedures and risk management programs need a privacy awareness training program.

Privacy Awareness Training Plan Workshop

Learn effective approaches to design and deliver an effective privacy awareness training plan for your healthcare practice.

Real-life scenarios and privacy breach offences demonstrate what can go wrong – and what you should do instead
How to manage employees who may not ‘get it'

In this 60-minute webinar, you will outline a privacy awareness plan for your practice.

Privacy Awareness Program Components
Supporting Privacy Awareness Training Policies and Procedures
Privacy Awareness Training Strategy
Privacy Awareness Training Models
How Do You Create Privacy Awareness Training Content?
Privacy Education Objectives
Audiences For Privacy Awareness Training Evaluation Methods
Monitoring / Compliance
Documentation

Join us on Thursday, May 6

12:00pm Noon Mountain

Build a Privacy Awareness Training Plan for Your Healthcare Practice

Register for Your FREE LIVE* Workshop

*Even if you can't attend live, register now to get access to the limited time replay and resources!

Yes! I want to attend the workshop

This Workshop Includes:

Live on-line training
Q&A with Jean Eaton, Your Practical Privacy Coach when you join the webinar live
Access to the replay for a limited time
Learning Resources Guide

Yes! I want to attend the workshop

Did you enjoy reading this article? You may also be interested in:

Do You Want To Be A Confident Healthcare Privacy Officer?

Keeping Privacy Active in the Minds of Clinic Staff

5 Low Cost Steps You Can Take to Prevent Employee Snooping

3 Parts to Every Privacy Awareness Training Plan

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

healthcare, privacy awareness, privacy awareness training, privacy awareness training plan, privacy officer, privacy training

Table-Top Privacy Breach Fire Drill

Posted on April 19, 2021 by Meghan in Blog

Use A Table-Top Privacy Breach Fire Drill to Protect Your Practice

A table-top privacy breach fire drill is a cost-effective way to prepare for a privacy and security incident in your healthcare organization. You should have a written privacy breach incident response plan in your healthcare practice. Have you practiced your response plan lately?

A table-top privacy breach fire drill allows your incident response team to rehearse their skills in a controlled exercise.

Do you remember your school days when every month or two you had a fire drill? The fire alarm would go off and everybody would go out the doors and very calmly go down the stairs and out the doors and into their muster point.

We take the same approach with privacy breach fire drills. Fires can happen at different times, places, and for different reasons. Whey you change the scenario, you develop alternate strategies or playbooks to best respond to the fire.

A privacy breach incident playbook contains all the actionable steps to take when a privacy beach incident occurs. Your playbook will have many ‘plays’ or actions to take when different types of privacy breach incidents occur. You could also think of it as a recipe book. You have many types of recipes to select from. Identify the ingredients that you have on hand (or the characteristics of the latest privacy incident) and select the most appropriate recipe to resolve the incident.

Healthcare providers, owners, and privacy officers hear about big privacy breaches on the news and hope it won’t happen to them. It keeps them up at night…because they know that properly preventing or managing a privacy breach is critical to the continued success of their business. Implementing a table-top privacy breach fire drill will help!

Picture this. You call a meeting of your incident response team. This may include your privacy officer, computer network support or managed services provider lead, physician, dentist, or other healthcare lead, your media spokesperson, and clinic manager. The privacy officer distributes a privacy breach incident scenario summarized on one page.

The team members read the scenario and then discuss what steps that they would take to respond to the privacy breach incident.

Using the 4 Step Response Plan as your playbook guideline, the incident response team note-keeper documents the hypothetical steps that the team takes to respond to the breach. Record the decisions, the resources, and the questions that you explore in this scenario.

When the table-top exercise is complete, you now have a detailed action steps that you can take when a similar privacy incident occurs in your healthcare practice.

How To Use The Table-Top Privacy Breach Fire Drill Technique

The goal of a privacy breach fire drill is to develop your playbook so you can spring into action when a similar privacy and security incident occurs in your healthcare practice.

First, identify a scenario that could happen in your practice. Unfortunately, it’s easy to find an example about a privacy and security breach in the news. Grab a privacy breach example and pull out the bits and pieces of the information that might apply to your organization. When you select scenarios that could happen in your organization the exercise is more meaningful for you, and you will develop tools and templates that are going to help you in the event that a very similar privacy and security incident happens in your organization.

Let’s use the recent privacy breach incident that came from the province of Saskatchewan* when a cybersecurity attack that happened in their E-Health system. This attack may have started when an employee who had authorized access to the e-health system used a personal tablet to connect with a USB to the Saskatchewan health authority’s computer. This enabled a virus from that personal tablet to infect the computer system and ultimately the e-health system, allowing millions of files to be stolen. Strip the example down to its key points. Create additional details and assumptions where needed to give the team members enough information to discuss the scenario during the fire drill exercise.

Step 1 Contain The Breach

The first step in every incident is to spot and stop the breach. Make an assumption that the employee who connected the personal device to your computer is now seeing that message on the screen that says that there's a virus in the system. One of your incident team members plays the role of the employee and completes Step 1 of the privacy breach incident response form and notifies their supervisor or the privacy officer.

Another team member assumes the role of the privacy officer and explains what their next action steps would be.

Record each action that you consider. Document each policy, resource, phone number and email address that you would use in a real event. This creates the action steps in your playbook.

Step 2 Evaluate the Risks

Discuss the risks that could affect the computer systems. What tools do you need to evaluate the harm of this incident? How might this affect patient care and the privacy of patient information?

Contact your vendors and ask them to contribute to the risk assessment in this scenario.

Who else might you want to call on for assistance to investigate this incident?

You might want to revisit the news item for additional information about the actions that were taken that you might also need to explore.

In your playbook, record good leading questions to help you to investigate the incident and evaluate the risks of harm.

Step 3 Notification

Strategize who you would notify about the incident. Prepare written notification to the custodians, patients, regulators and even media statements. These become templates in your playbook that you can quickly implement in your real event.

Role-play your media spokesperson being interviewed on the evening news. It’s much better to practice now, before you are in a crisis.

Step 2 Prevent the Breach From Happening Again

This might be the most valuable step in the privacy breach fire drill. Complete the privacy breach incident worksheet and summarize this practice scenario. Consider how likely this scenario could happen in your practice. What type of training could be done now to prevent this from happening? What tools or training do your incident response team members need today to make it easier for them to monitor and prevent this scenario from happening?

Fire-Drills Lead to a Confident Response

At the conclusion of this fire-drill, your team is ready, energized, and have the tools that they need to make sure that they can respond to that privacy and security breach as quickly as possible. This absolutely is a great investment in your time. These table-top privacy breach fire drills are a great demonstration of your commitment as an organization to ensure that you are protecting the privacy confidentiality and security of health information.

I hope that this privacy tip to help you do your tabletop privacy and security breach fire drills will be a value to your organization.

Listen to the podcast HERE!

Do you need help to create your privacy breach management plan – and a mentor to help you get it done?

Check out the 4 Step Response Plan – tips, tools, templates, and training to help you create your privacy breach management plan!

4 Step Response Plan

*Reference:

Saskatchewan IPC finds ransomware attack results in one of the largest privacy breaches in this province involving citizens’ most sensitive data. January 8, 2021 – Ron Kruzeniski, Information and Privacy Commissioner. https://oipc.sk.ca/saskatchewan-ipc-finds-ransomware-attack-results-in-one-of-the-largest-privacy-breaches-in-this-province-involving-citizens-most-sensitive-data/

fire drill, healthcare, privacy breach, privacy officer, privacy officer training, privacy training, table-top privacy breach fire drill

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

Posted on April 7, 2021 by Jean Eaton in Blog

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

You are working at the reception desk of a healthcare practice. Suddenly, there is a police officer giving you a court order! Do you know how to prepare patient records for a court order?

Don’t Panic!

In this month’s Q&A with Jean, we discussed how to prepare patient records for a court order with confidence!

Now, just a reminder, I’m not a lawyer and I don’t play one on TV. These are my recommendations based on my experiences – as a director of health records in hospitals in Canada, as a court reporter, and as a mentor to clinic managers in independent healthcare practices – and this is not legal advice.

Follow These Steps

In this article, I am not discussing a situation which relates to a life-threatening situation that requires an immediate response. I am also not discussing when the order relates to the type or quality of healthcare provided to the patient or when the actions of the healthcare provider or clinic is being challenged or reviewed. These are topics for a different article.

Your reception staff should not accept the court order but, instead, immediately ask the officer to wait for a few minutes so that they can request their supervisor or privacy officer meet with them.

When the court order is an administrative request for information, the supervisor or privacy officer will accept the court order from the officer. Before the officer leaves, make sure that you read the court order carefully and ensure:

Who is named in the court order.
- This is often the clinic manager of the clinic. Your clinic should be specifically named or, perhaps, the name of your lead physician or healthcare provider.
Record the date and time that you received the order.
Clarify when the response is required.
Name and contact information.
- This could be of the officer that delivered the court order (if possible).
- At minimum, it should include the contact information of the court, for example, the court clerk’s office or the witness co-ordinator, or the sheriff’s office.
The province or jurisdiction of the court.
In general, this should be the same province where your clinic operates. If not, contact your lawyer for advice on how to respond.

Review Your Policies and Procedures

This is not a routine request from a patient to access their health records or a request to disclose their records to a third party like a lawyer or insurance company. In those routine requests, patients are generally required to provide a written, signed consent before you can disclose their records.

When you receive a court order or subpoena to produce patient records at a court or other legal proceeding, you are not required to get a signed consent from the patient.

Each healthcare practice should have detailed policies and procedures on how to prepare patient records for a court order. Review these now.

If you don’t have up-to-date policies and procedures, see the Practice Management Success Tip, How to Prepare Patient Records for a Court Order.

Validate the Court Order

Read the court order carefully. In particular,

Phone the contact number on the court order.
Confirm the date, time, and location that you are required to appear.

Locate the Patient Record

Find the patient information maintained in an electronic database, electronic medical record (EMR) and/or paper records. Remember to look for both active and inactive patient records as needed by the court order.

Read the patient record carefully, line by line, to ensure that the record is complete. For example, make sure that all lab reports, prescriptions, consultation notes, etc. are included in the record.

Secure the record to prevent snooping or modification to the record. Also ensure that the record is available for continuing care and treatment of the patient, if needed.

In an electronic record, prepare an audit log of all the transactions on that patients’ chart.

Ensure there is no duplicate or second chart for the patient that may have been created in error. Search by alternate names, spellings, date of birth, etc.

Ensure that each custodian included in the patients’ care and your healthcare practice’s privacy officer is informed of the court order to produce the record. The custodian should be provided an opportunity to review their clinic notes. Remind the custodian that they cannot further disclose the patient's record.

Prepare the Patient Record

Review the court order and identify exactly what information is requested. It might be for specific dates or a condition or treatment.

Keep complete and detailed notes about how you prepared your response to the court order. You will bring your notes with you to court to assist you in your testimony about how your clinic creates and maintains patient records and what you did to respond to the court order. After your court appearance, you will maintain your notes as part of the business records for the clinic.

Collect the information and record each of your steps and your results, including the records that you searched for as well as those that you did not find any results for.

If you maintain your patient records in an electronic medical record (EMR) or digital practice management software, print out a hard copy of all the information that responds to the information that is requested.

Sever (also known as redact or black-line) any information that is not appropriate to include in the disclosure. Cross-reference each redacted entry to the legal authority not to include the information in the disclosure.

If you are using an EMR, organize the paper print-out in a format that makes sense. This might be in chronological date order, or by grouping like records (clinic notes, lab results, etc.) together.

Create a ‘Table of Contents’ of the information in the patient record. This will help you in your testimony to quickly find requested information, and to help the court to locate information in the records that you have prepared.

At the same time, handwrite in ink at the bottom of each page the sequential page number in the package. Update the table of contents with the page numbers.

Stamp ‘COPY’ on each page.

When the package is complete, make a photocopy (or two) of the entire package. The ‘original’ paper copy will be maintained at the clinic. Bring the original and the copy to court and ask the court to accept your copy. Return the original package to the clinic and securely maintain this as part of the business records of the clinic until the court file is complete.

When You Attend At Court

As the clinic manager, your role at the court is to tell the court how patient information is collected and maintained in your healthcare practice. Your job is not to interpret the content of the clinic notes.

A few days prior to the court date indicated on the court order, phone the clerk’s office or witness support office to confirm the date, time, and location of the proceedings and if you are still required to attend.

On the day of the proceedings, report to the clerk of the court.

Bring with you the court order, your photo ID, the patient record, and your notes. Bring a good book to read in case you have a long wait.

You will be advised (again) if you are required that day. If you are not required, the clerk will make a notation on your court order to appear that you attended and that you have been dismissed. Keep this in your business records with the patient record.

If your testimony and the patient records are required, you will be called as a witness during the court proceeding.

You will be asked to swear or affirm an oath to speak honestly during your testimony.

Typical questions that you should be prepared to answer include:

Your name.
Your role at the clinic, how long you have been in that role, your routine tasks and responsibilities at the clinic.
Describe how patient records are maintained. Be prepared to explain your EMR or computer patient management system (if you have one).
Bring your notes about the steps that took to prepare for the court order. You may ask permission of the court to refer to your notes that you created when preparing to respond to the court order during your testimony, if necessary.
Explain that the patient records are kept electronically and that you have prepared a paper print-out of those notes.
Be prepared to explain how you know that the records are complete, not missing any details, etc.
If the court asks you to enter the records into evidence, explain that you have an ‘original’ and a ‘copy’ and ask the court to accept the ‘copy’ into evidence.

When You Return to the Clinic

Complete your notes by documenting your day at the court. Write a short summary of your day including:

Did you give a copy of the patient records to the court? To whom?
Remember to add this notation to the patients’ record that you disclosed this information according to the court order.
Any follow-up required for this disclosure?
Review your procedures. Anything that you would edit or provide additional instructions that will help you to be better prepared for next time you receive a court order?
Submit a copy of your out of pocket expenses (parking receipts, meals, etc.) for re-imbursement by your employer, if applicable.

What You Should Do Now

Review your policies and procedures now to ensure that it includes how to respond to a court order.
Train your reception staff on what to do if they receive a court order.
Train your privacy officer and clinic manager on how to prepare a patient record for a court order.

Depending on where you work, you may receive a court order regularly or it might be a once-in-a-career experience. When you have policies and procedures and a little bit of training to assist you, you can respond to a court order calmly and confidently.

If you are a member of Practice Management Success, login and access the ’Procedure: Preparing Patient Records for a Court Order’ template and the replay of the tutorial video.

Download Practice Management Success Tip - Preparing Patient Records for a Court Order Now!

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

court order patient records, health care, health records, healthcare, medical, Practice Management Success, subpoena to produce patient records, template procedure

Can We Email Patients During COVID-19?

Posted on March 11, 2021 by Meghan in Blog

Q: Can we send an email to our recent patients to inform them that we are open during the current COVID restrictions?

We know that some patients are reluctant to see their care provider in person because of the COVID-19 pandemic. They are worried that they may have to wait in a crowded waiting room, or they are concerned about the possibility of waiting outside in the cold. They may not know about new care options, such as a phone consultations or video meetings.

Can we email our patients to let them know how we are addressing their concerns?

Update – This works for letting your patients know that you are offering vaccinations, too!

A: Yes, with certain limitations

In my opinion, if you are reaching out to **recent** patients / clients to assist them with their **current** health care questions, it is OK to send an email to let them know how you can provide health services within the current pandemic restrictions.

Here are some tips to help you review or create your procedures how to use email with your patients.

Make sure you have previously collected a patient's email address and their consent (verbal is OK, written is better) to use their email address for health service related messages before emailing them.
Do not accept work email addresses for patients; it must be a personal email address for the patient.
Update the patient’s demographic information, including the email address, regularly. Make this part of your process every visit as part of your identity verification.
Update the patient's consent to use their email address every time you have an in-person or telephone conversation with the patient.
Use a script for calling patients to update information and to get consent for using their email address

Use the EMR system to send patients appointment reminders or patient education resources related to their recent visit.

If you also want to send your patients engaging articles about your healthcare providers, services that you provide, or classes or products that you sell, I suggest that you use a system different from your EMR. Use an autoresponder email system to send your patients marketing materials, engaging articles and other pieces of information on a separate marketing email platform. Remember, your patient must opt-in to consent to receive information from you using your auto-responder system.

There are many autoresponder systems to select from, including MailChimp, Active Campaign, Constant Contact and many more.

Join me on the FAQ video to find out when you can email patients during COVID. Click the button below to watch!

Watch the FAQ video HERE!

Interested in learning more about Email Marketing to your patients / clients?

Check out this blog from Top 10 Do’s and Don’ts of Email Marketing For Physical Therapists & Chiropractors by CallHero .

If you use Social Media to connect with your patients / clients, you might need the Practice Management Success Tip Social Media Management.

Get it here!

Show me Social Media Management

clinic, COVID-19, email and patients, health, healthcare, pandemic, public health restrictions, social media