Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

Is Remote Working A Good Choice For Your Healthcare Practice?

Posted on March 23, 2020 by Jean Eaton in Blog

In our healthcare practices, we have policies and procedures to identify the reasonable safeguards we need to take to protect personal and health information entrusted to us. But when employees complete their roles off-site, due to personal circumstances or to ensure business continuity in unusual situations, we need to take action to ensure reasonable safeguards are in place to protect the privacy, confidentiality, and security of personal health information.

Remote Work May Be Available To Employees

Working from home is at the sole discretion of the custodian and owner of the clinic. Examples when this may be applicable include:

  • Business continuity – due to technical, physical, or other unusual circumstances.
  • Work levelling – volumes of work are distributed to another location usually for a short duration.
  • Illness / personal circumstances – where an employee is unable to report to work at the clinic but can continue to complete their roles off-site.

Some administrative tasks in a healthcare office – for example, incoming phone calls, appointment booking, appointment reminders, billing, and/or transcription – could be done from a home office environment. Sometimes even follow-up and consultations from the healthcare provider can be done remotely, too.

The healthcare provider or custodian is ultimately responsible to ensure the secure collection, use, and disclosure of health information.

For the purposes of this article, the ‘custodian’ may be the healthcare provider defined by the HIA, or the lead healthcare provider or owner in your practice.

p

In Alberta, a ‘custodian’ is defined under the Health Information Act as a health services provider who is designated in the regulations as a custodian, or who is within a class of health services providers that is designated in the regulations. HIA section 1(1)(f)(ix)

This includes:

  • Physicians
  • Pharmacists
  • Optometrists
  • Opticians
  • Chiropractors
  • Midwives
  • Podiatrists
  • Denturists
  • Dentists and dental hygienists
  • Registered nurses

Is Remote Working Good for Your Business?

As the custodian, you must decide if remote working is a good option for your business. When you decide that this is a viable option for your business, you then need to: 

  • Determine if remote working is appropriate for your employees.
  • Identify what clinic / business resources need to be provided to the employee remote worker.
  • What reasonable safeguards need to be implemented to protect the privacy, confidentiality, and security of personal (health) information.

Likely you will continue to have both on-site and remote workers. The custodian will decide what ratio is appropriate to provide patient care and business goals on both a short term and a long term basis.

Regulations, Standards, Policy

Each healthcare business has multiple sources of sensitive information, including employee, financial, business, and health information. Custodians and owners have a responsibility under a variety of regulations, professional practice standards, and internal policies to protect the privacy, confidentiality, and security of personally identifying information (PII).

Health information is sensitive information. Reasonable efforts must be made to ensure that identifying and sensitive information is protected from unauthorized access, loss, or damage during and outside work hours. What a custodian may consider is reasonable efforts during a pandemic may be different than reasonable efforts from normal circumstances.

During a public health crisis, privacy laws still apply, but they are not a barrier to appropriate information sharing.

Privacy Impact Assessments

In Alberta, section 64 of the Health Information Act (HIA) requires custodians to prepare a privacy impact assessment (PIA) and submit it to the Office of the Information and Privacy Commissioner (OIPC) of Alberta prior to implementing a new administrative or technical process in a healthcare practice.

The OIPC in Alberta requests in its notice of March 19, 2020, that custodians notify the Commissioner about new administrative practices or information systems. Your submission to the OIPC should include a description of what the new program is meant to achieve and any safeguards for health information.

Standards

Your professional college may also have standards of practice and recommendations that impact your decision to implement remote working or virtual healthcare.

The Advice to the Profession series from the College of Physicians and Surgeons of Alberta (CPSA) offers guidance documents to assist you in assessing the security risks and safeguards of electronic communications, including laptops and mobile devices, to further assist you to determine appropriate safeguards.



From the College of Physicians and Surgeons of Alberta (CPSA):

COVID-19: Virtual Care

Electronic Communications & Security of Mobile Devices

Standard of Practice Telemedicine

Review Your Current Policies and Procedures

Don’t cut corners. Instead, build privacy into your decision. Create, review, and update your policies and procedures.

Use the Remote Worker Privacy and Security Checklist to help you document your decisions and expectations with eligible employees.

You may also need to consult your information technology support providers to ensure up-to-date computer and network security has been implemented.

Virtual Healthcare

Healthcare providers may consider providing virtual healthcare services to their patients. The healthcare provider may be at their usual clinic or office location and use all of their existing systems and tools to access patient records in paper or electronic medical records (EMR).

Alternatively, the healthcare provider may be working remotely, too. The same privacy, confidentiality, and security safeguards applies to their home working location.

If you are choosing to implement a new virtual healthcare solution specifically to respond to the current public health emergency, the Office of the Information and Privacy Commissioner (OIPC) of Alberta advises that

“ . . .custodian[s] need to determine what are reasonable safeguards in the circumstances and be prepared to justify their decision. Health custodians should also ensure individuals are aware of any heightened risks to privacy as a result of a new administrative practice or information system being implemented.”

Remember, you can leverage existing technology – like the telephone – to keep in touch with your patients. This likely would not be considered a new administrative or technological practice that would require a PIA. This might also be a great time to fully implement your current patient portal functionality from your EMR vendor, too.

You may decide, based on your evaluation of the potential risks and what reasonable safeguards that you can quickly implement in response to the new public health emergency, that authorizing remote working or a new videoconferencing solution is not the best choice at this time.

Select the process that ensures continuity of care to the patient, including appropriate documentation in the patient record and the protection of the PII.

​Reference

Notice: PIAs During Public Health Emergency, March 19, 2020, Office of the Information and Privacy Commissioner (OIPC) of Alberta

The Practice Management Success Tip, Remote Worker Privacy and Security Checklist, will help you

  • Determine if remote working is appropriate for your employees.
  • Identify what clinic / business resources need to be provided to the employee remote worker.
  • What reasonable safeguards need to be implemented to protect the privacy, confidentiality, and security of personal (health) information.
Show Me The Remote Worker Privacy and Security Checklist

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

What Should I Do If I Think I Have COVID-19?

Do You Know Where Your Policies and Procedures Are? 

 

assessment, healthcare, medical, pandemic, physician, remote working, risk assessment, template, work from home

Why You Need To Get The Right Agreements With Your Vendors

Posted on February 4, 2020 by Jean Eaton in Blog

Donna Grindle knows having a business arrangement agreement between a healthcare provider and their business associate is very important in defining clearly the responsibilities of both parties.  

But, many healthcare providers, business owners, and vendors don’t get this right!

Donna shares her observations on the HIPAA violations trends from the United States so that healthcare providers and vendors in Canada can prevent similar experiences and avoid massive fines and penalties.

Donna Grindle is my guest expert on Practice Management Nuggets For Your Healthcare Practice.

Donna Grindle's #1 Tip to healthcare providers and vendors

Don’t assume. Ask questions!Click to Tweet

My Favorite Takeaways From The Podcast

  • Healthcare privacy and security regulations are more similar than different.
  • Educate as many people as possible about the importance of privacy and cybersecurity.
  • Don't assume that you don't have to ask questions.
  • Privacy is a civil right.
  • Under HIPAA, any business that provides a service to covered entities (healthcare providers) that requires them to have access to protected health information is then considered a business associate (BA).
  • BA's are separately and equally liable to protect patient information.
  • You must have a written agreement between your vendors and your healthcare providers that describes how you will protect patient health information. If you disclose personal information without a written agreement, you are breaking the law.
  • BAA / IMA must include liability clause.
  • Tips: Healthcare Provider Selecting A Vendor
  • Tips: Vendor Selecting A Healthcare Client
  • Cybersecurity insurance

Featured Guest: Donna Grindle

Image ladyFounder & CEO Kardon and
Co-Host Help Me With HIPAA Podcast

Donna brings over 30 years experience in healthcare IT which is the solid foundation of Kardon’s HIPAA privacy and security consulting. Donna stays busy with speaking engagements, the weekly Help Me With HIPAA podcast, and managing a business with a growing client list. Donna’s sense of humor and southern charm spills out into everything she does.

Be sure to tune in to my interview with Donna Grindle,

What Healthcare Practices Should Know About Vendor Vetting And Accountability | Episode #085

Listen To The Podcast Here
#PracticeManagementNugget, BAA, business associate agreement, Donna Grindle, healthcare, HIA, HIPAA, IMA, information manager agreement, podcast, privacy compliance, vendor vetting

PIPEDA Mandatory Privacy Breach Notification

Posted on January 19, 2020 by Jean Eaton in Blog

Organizations subject to PIPEDA are required to report to the OPC any breaches of security safeguards involving personal information that pose a risk of significant harm to the individuals.

PIPEDA

PIPEDA is a Canadian federal law that sets out the rules for the collection, use and disclosure of personal information in the course of those commercial activities. PIPEDA outlines the 10 Fair Information Privacy Principles that businesses must follow regardless of their size. Organizations need to know privacy rules and make sure that you have the appropriate safeguards implemented in your business.

 

Does PIPEDA Apply To You?

image of map of Canada

PIPEDA applies to most businesses across Canada, excepting Quebec, British Columbia, and Alberta. These provinces have their own private sector laws that are substantially similar to PIPEDA.

But even in those provinces, PIPEDA covers federally regulated industries like transportation, telecommunications and banking. In addition, all businesses that operate in Canada and handles personal information that crosses provincial or national borders are subject to PIPEDA, regardless of which province or territory that they're based in. All businesses in the three territories also fall under PIPEDA.

In Alberta, we have privacy legislation called the Health Information Act (HIA) that takes precedence over PIPEDA and Alberta's Personal Information Protection Act, (PIPA). If a business, like a physician's office, has a privacy breach which includes health information, then the custodian of the physician office must report the privacy breach following the HIA regulations. If employee information or other non-health information is included in the breach then that triggers privacy breach notification under PIPA. Sometimes, a breach can include both types of information and the physician office must notify under each legislation.

In BC, the Personal Information Protection Act (PIPA) is BC's private sector privacy law that has also been deemed substantially similar to the federal private sector privacy law. BC does not have health information specific privacy legislation, so PIPA applies to private organizations in BC, including physician practices, and governs how the personal information about patients, employees and volunteers may be collected, used and disclosed.

If you are a business in Canada, for example, an electronic medical records (EMR) business and you have a data center in Canada where all of your clients across Canada provide their information and store it in your data center, the EMR vendor likely falls under the PIPEDA regulations.

The vendor may be responsive to other legislation as well. If you are an EMR vendor, you do not directly comply with the HIA in Alberta because that applies only to custodians. However, as an information manager of a custodian under the HIA, you have some obligations under the HIA in the event of a privacy breach. But that does not mean that you don't also have obligations under PIPEDA.

 

What Is Included In Personal Information?

image file folders

Personal information is more than just a name or an address. It's data about an identifiable individual that can, by itself or combined with other information, identify a person. It could be a person's age, ethnicity, medical information, credit card number or even an income level. It might also include their Internet Protocol (IP) address or their website or email information.

Regular surveys done by the Office of the Privacy Commissioner of Canada says that small businesses tend to be less aware of their privacy responsibilities than larger organizations. In 2017, 65% of large organizations with more than 100 employees indicated that they were privacy aware. But only 43% of small businesses indicated that they were privacy aware. Smaller companies may not have dedicated compliance officers or privacy officers, and they may not have a sense of privacy knowledge.

The compliance challenge for smaller organizations is made more difficult by the limited human and sometimes the financial resources available to them and the gap on the knowledge about the privacy obligations.

Lack of awareness can potentially lead to complaints about your business, which has an impact on your business's reputation.

 

Privacy Breach

A privacy breach occurs when there is an unauthorized access to or the collection, use, disclosure, our disposal of personal information. There are many things that could qualify as a privacy breach. If you have a financial transaction that includes clients’ information and now is publicly available on your website, that's a privacy breach. If you have somebody in your organization who has access to personally identifying information as part of their job, but they use it for some purpose other than their job, that's snooping, and that is a privacy breach.

There are many examples about what is a privacy breach, but any time that you view, use, or disclose without aauthorization is considered a privacy breach.

Privacy breaches also have a negative impact to our business because it takes time and resources to manage a privacy breach, and it has a huge impact to the reputation of an organization.

 

Privacy Breach Notification

image timeline

The November 2018 PIPEDA mandatory privacy breach notification regulations requires you to know where all of your personally identifiable information sources are and know the safeguards implemented to protect the data.

Then, you need to monitor the data to identify any breaches. If there is a breach of those security safeguards, you need to record all breaches. So even if there is a breach of a safeguard that nobody has exploited, you still need to record that you have identified that there is a potential risk and what you've done to be able to manage that risk and prevent that from happening again.

Next, you need to determine the risk of significant harm, or ROSH. (more about this later.)

The risk of harm test that identifies what information had been included in the breach and the type of harm that could happen to that individual as a result of the breach. When it reaches that ROSH threshold, then you need to notify the Office of the Privacy Commissioner of Canada office. Or, if you are in BC, Alberta or Quebec, you need to report that to the provincial privacy commissioner.

You also need to notify other people about that privacy breach.

You probably need to notify your clients. If you are an EMR vendor or another vendor that's providing a service to healthcare providers, you need to notify them about the breach.

As an example, if you are an EMR vendor that has been breached–perhaps a security compromise or hack into your data centre–you have a responsibility to notify the healthcare providers who collected the personal information. The EMR vendor must also report the privacy breach to the Office of the Privacy Commissioner.

You might also have an obligation to notify the individuals that have been affected by that breach. In your information manager agreement in Alberta, you should have clear written expectations about whether or not a vendor should notify the patients directly about a privacy breach or if the custodian or the health care provider is going to assume that responsibility. This is an important detail that you need to identify in your information manager agreement.

Also see the Practice Management Success Tip Top 3 Agreements Your Healthcare Practice Must Have (And Why) from Information Managers at https://InformationManagers.ca/top-3 for more on information management agreements (IMA.)

 

ROSH

image lady with paper

The risk of significant harm (ROSH) is a framework for assessing the risk to the individual as a result of the breach of individually identifying information. Adopt and use a framework for your organization to assist you to quickly and consistently assess a breach for ROSH.

If there is personally identifying information included in the breach, we can assume that the information is sensitive information to the individual. Generally, I recommend a default that if individually identifiable information is included in the breach, then assess that there is a significant risk of harm to the individual.

The circumstances of a breach may make the information more or less likely to be used maliciously. For example, additional questions that you may want to consider include how did the breach occur? How likely is it that someone would be harmed by the breach? Who actually accessed or could have accessed that personal information? How long has that personal information been exposed? Is there evidence of malicious intent, like hacking? Or was it a theft? Or did somebody intentionally tried to use that information and use it in a very covert way? Were a number of pieces of personal information breached therefore, increasing the risk of misuse? Is the breached information in the hands of an individual that represents a reputation to the risk of that individual or themselves? Or, was the information exposed to a limited, known number of entities who have committed to destroy and not disclosed the data.

 

Privacy Is Good For Business

image people in business

As always, good privacy is good for business. Poor privacy protection can damage your company's reputation and cut into your profit margin. When your practice proactive privacy, you enjoy the confidence and trust of your customers. Canadians tell us that the more they trust a company, the more likely they are to do business with it. Getting privacy right is your opportunity to demonstrate that you deserve their trust and their business.

Remember that one of the fair information principles is accountability. At the end of the day, you are responsible for protecting the personal information that you have collected.

 

Reference: Privacy and your business: An introduction to the Personal Information Protection and Electronic Documents Act. Office of the Privacy Commissioner of Canada. https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-compliance-and-training-tools/pp_bus/

Privacy Management Program

Build privacy protections into everything you do is a business. Having clear policies and procedures for the collection, use and disclosure of personal information is of vital importance for your business.

 

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

How to Manage a Privacy Breach with Confidence

The 4 Step Response Plan will help you with prevent privacy breach pain and give you the tips, templates, training, and tools that you can use right away to prepare your privacy breach response plan:

In the world of privacy breaches ‘If’ has become ‘When’. Will you be ready?

The best way to do this is by developing a privacy management program that covers all aspects of how you handle personal information. The 4 Step Response Plan will help your organization be prepared to prevent privacy breach pain. 

Click here for more information on the on-line 4 Step Response Plan course available now!

image

 

 

Learn How To Manage A Privacy Breach With Confidence
#PracticeManagementNugget, Canada, healthcare, mandatory notification, mandatory privacy breach notification, personal information protection electronic documents act, PIPEDA, podcast, privacy breach

Data Privacy Day 2020 Events And Resources for You!

Posted on January 14, 2020 by Jean Eaton in Blog

Data Privacy Day is an internationally recognized day dedicated to creating awareness about the importance of privacy and protecting personal information.

Information Managers Ltd is a Data Privacy Champion!

As a DPD Champion, Information Managers recognizes and supports the principle that organizations, businesses, and government all share the responsibility to be conscientious stewards of data by respecting privacy, safeguarding data and enabling trust.

“Each of us is responsible to manage our name and our identity. When you share your personal information, you have the right and responsibility to ask the person or business why they need the information and how they will protect your personal information.”

 Jean L. Eaton, Your Practical Privacy Coach of Information Managers Ltd.

Data Privacy Day Activities

Understanding Mandatory Privacy Breach Notification

To celebrate Data Privacy Day, Information Managers is hosting a free 30-minute webinar on Tuesday January 28, 2020.

Mandatory Privacy Breach Reporting is here!

Do you know how this will affect your healthcare practice?

. . then this free webinar is for you!

If you are a custodian–including physicians, pharmacists, optometrists, dentists, dental hygienists, chiropractors,  nurse practitioners, podiatrists, midwives, optometrists, opticians, and more!–as defined by Alberta's Health Information Act, then  . . then this free webinar is for you!

What you need to know about mandatory privacy breach notification!

In this Free Webinar, Jean L. Eaton, Your Practical Privacy Coach will explain

  • what is a privacy breach
  • why a privacy breach is a significant problem
  • why have mandatory privacy breach notification
  • lessons learned in the first year of mandatory notification
  • offence and penalty provisions of the HIA
  • privacy breach notification requirements
  • what you need to do now

Click Here to Register for the Free Webinar

Data Privacy Day Tip: How expensive is a privacy breach?

This tool from AlexioCorp quickly helps an office see the potential cost of a data breach.

Please use and share!!

button link

Privacy Protection In The Pink Seat with
Dr. Angela Mulrooney & Jean Eaton

While privacy is not technology driven, the lack of privacy, perhaps, is impacted by technology.

Many dental practices are overwhelmed with creating and implementing privacy and security policies and procedures and how to prepare a privacy impact assessment.

Angela and I discussed practical privacy tips for your dental practice to help reduce the overwhelm.

These tips apply to all types of healthcare practices.

“Talk Shop – Protect Your Business from Information Breaches”

Jean Eaton is a guest on Lauren Sergy’s “Talk Shop” YouTube channel.

Talk Shop learn from industry experts to be a better communicator in work and in life hosted by @lsergy. Privacy tips for business owners just in time for Data Privacy Day!

Talk Shop learn from industry experts to be a better communicator in work and in life hosted by Lauren Sergy!

 

 

I Heart Privacy!

Just in time for Data Privacy Day!

Print badges for your team.

I heart privacy Right-Click the image and select ‘Save As' to download and insert the image into your favourite templates to make badges or stickers or labels.

 

 

 

 

 

 

Or, use the done-for-you sheet of labels that you can print right away and slip into badge holders or print to stickers or labels.

I Heart Privacy DPD Badges      I Heart Privacy Badges

You can even customize the labels and add your business name!

 

Follow Us On Social Media!

Each day from Jan 22 – 28, we will have for daily privacy tips, and free links to additional resources on our social media accounts that you can download right away! Follow us!

Twitter

 

Stay Safe Online

For more information about how to get involved in Data Privacy Day and the Champions program, visit https://staysafeonline.org/data-privacy-day. You can also follow the campaign on Twitter at @DataPrivacyDay or Facebook at https://www.facebook.com/DataPrivacyNCSA and use the official hashtag #PrivacyAware to join the conversation.

Please use the social share buttons to share these Data Privacy Day activities with your friends and colleagues.

#DataPrivacyDay, #PrivacyAware, Data Privacy Day, Data Privacy Day Champion, Data Privacy Day Edmonton, healthcare

Top 3 Practice Management Nuggets Blogs and Podcasts in 2019

Posted on January 2, 2020 by Jean Eaton in Blog

I wish you a prosperous New Year and personal and professional growth.

Practice Management Nuggets blog posts and podcasts is designed to help you achieve that. I started this in January 2014. We’ve grown over the years and improved the technology and platforms to better help you start, grow, and improve your healthcare practice. I help you to manage the pink elephant in the room!

Over the last year, you have made these blog posts and podcasts rank in the top 3 for 2019. If you missed these, or want to re-visit them, follow the links below.

Check out these top 3 Practice Management Nuggets blog posts and podcasts.Click to Tweet

Here Are The 3 Best Blog Posts And Podcasts Of 2019

Top 3 Blogs 

Recent Privacy Breach Convictions Under Alberta’s Health Information Act

Curiosity Is NOT Need-To-Know

The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

 

Top 3 Practice Management Nuggets Podcasts For Your Healthcare Practice

Privacy Awareness Quiz #PrivacyMatters | Episode #076

How Improved Patient Satisfaction Saves You Time And Money | Episode #074

Fax Received in Error – Is this a Notifiable Privacy Breach? | Episode #067

Stay tuned for more guest experts, tips, tools, templates and training in 2020!

blog, healthcare, podcast, privacy

How To Correctly Identify Patients And Use Photo ID

Posted on December 10, 2019 by Jean Eaton in Blog

Patients should be asked to show their Alberta Health Care Insurance Plan (AHCIP) card and photo identification when visiting a practitioner office.

The Importance Of Correct Patient Identification

Failure to correctly identify patients can lead to serious problems such as medication errors, as well as privacy breaches.

Positive patient identification is critical to ensure patient safety and protect patient data. According to industry research cited by RAND, 7-10% of registering patients are misidentified upon entry.

Patient mis-identification contributes to:

  • 27% of radiation errors
  • 29% of medication errors
  • 5% of wrong-patient/wrong-site surgeries
  • 850 medical errors and 20 deaths related to blood transfusions

And, of course, we must deal with the administrative headache of privacy breaches and medical identity theft and duplicate patient records!

In Canada, health ministries have underscored the importance of correct patient identification when they issue Patient Safety Alerts. Correct patient identification criteria is also included in Accreditation Canada standards.

Verifying patient information improves patient care and efficient business practices.Click to Tweet

Verifying patient information improves patient care and efficient business practices.

  • Care – Good patient care starts with correct patient identification. Incorrectly identifying patients contributes to medication, transfusion, procedure and testing, errors.
  • Good Documentation – Avoid incomplete, inaccurate, and duplicate patient records!
  • Gatekeeper –Each caregiver has the responsibility to identify the patient before providing a health service. I think that the family physician has an added role and responsibility of the patients’ gatekeeper to additional health services to ensure that the documentation of patient identification is correct at the time of registration.
  • Billing – Avoid rejected billing and re-work when you correctly identify the patient and record the data correctly the first time. Patient demographic information is best corrected while the patient is present at the clinic instead of trying to contact the patient after they leave the clinic.
  • Uninsured Services – The practitioner will submit a claim to the Alberta Health Care Insurance Plan directly for all insured services provided. If a provincial health care card is not shown or the individual is not eligible for coverage, they may be asked to pay for health services before receiving them.

How To Correctly Identify Patients

Ask The Patient Questions – When a patient presents to register for a new or repeat visit, ask for at least two sources of patient identification. You may also request new patients to complete a new patient registration form.

Ask for Photo Identification – Photo identification will validate that the information and the image of the patient in front of you corresponds to the information from the patient and AHCIP. If there is a discrepancy, the best time to sort it out is when the patient is still at the clinic.

New Patient Registration Form (optional) – A paper form allows for discretion when asking for demographic information including date of birth, address, medications, Alberta Health Care Insurance Plan, allergies, etc. This reduces overhearing the conversation from other patients and staff and can often improve workflow and reduce congestion at the reception desk.

Document – Record on the new patient registration form or the clinic note that the photo identification was reviewed and that the image matches the individual. Use a clinic note or other location in patient record that is used consistently in your healthcare practice. (Bonus Tip: You might be able to create a template clinic note in your EMR for this. Or, create a check list template of this and related tasks to be completed for each (new) patient registration.)

Enter the information into the patient demographic or EMR system. Use registration document standards to ensure consistent data entry.

Validate – the AHCIP # and the patient information is valid by using the Netcare parameter launch browser between the EMR and Netcare. This will also help to ensure that there are no data entry errors in the EMR. If necessary, assist the patient to complete a change of information form for AHCIP, or make an update entry in Patient Registry if you have appropriate access. If you don’t have access to the Netcare via browser or web sign-on, use the phone number to AHCIP for this purpose.

Don’t Photocopy The Photo Identification

You should record that you viewed the photo ID and verified, but do not record the unique number associated with the photo identification (for example, driver’s license number). Do not photocopy the photo identification.

Remember, we have a responsibility to collect the least amount of information necessary. Viewing photo id to verify the identity of the patient, is a reasonable step to ensure the safety of the patient and to prevent an error. Recording the drivers license number or photocopying the drivers license is not necessary to provide a health service and an unnecessary (and probably illegal) privacy and security breach.

Listen To The Podcast Here

Members of Practice Management Success

If you are a member of Practice Management Success, login and access the webinar replay, patient registration procedure template, collection notice template, and the new patient registration form template.

Not a member of Practice Management Success, yet? What are you waiting for?

Get Your Practice Management Success Membership Now!
#PracticeManagementNugget, AHCIP, Alberta Health Care, dentists, drivers license, healthcare, medical errors, Netcare, Patient identification, photo ID, podcast, registration, risk

Ransomware – 6 Mistakes Made By Dentists (And Their IT)

Posted on November 14, 2019 by Jean Eaton in Blog

Anne Genge of Alexio tells us that 96% of healthcare providers are concerned about how their staff are using personally identifying health information.

But, many healthcare providers and business owners don’t know what to do about it!

Can your staff protect you from a ransomware attack?

Yes, they can!

And it doesn’t have to be hard or expensive to do that.

Anne will help us to understand the cyber security risks that every healthcare practice in Canada is facing now and what you can do now to reduce your risk on Practice Management Nuggets For Your Healthcare Practice. Anne Genge, CEO of Alexio Corporation is my guest expert.

 

Anne Genge's #1 Tip to healthcare providers and practice managers

Invest in a professional cyber security risk assessment for your practice.Click to Tweet

My Favorite Takeaways From The Podcast

  • Ransomware is the biggest threat to any digital environment
  • Healthcare data is urgent – we need it to treat our patients.
  • Cyber security awareness is very low among healthcare providers.
  • Data loss often happens even when you can de-encrypt the data often resulting in 15% loss.
  • Without proper remediation, repeat ransomware attacks can happen.
  • Good backup insulate yourself from data loss, remediation costs, mandatory privacy breach reporting, loss of reputation, fines, and penalties.
  • Intrusion detection and prevention software can alert users to potential problems, but sometimes, individual users’ behaviour continues to put the practice at risk.
  • 90% -92% of successful breaches are facilitated by human error.
  • IT focus on efficient workflow and communications between systems. Security professionals monitor access to ensure it is authorized and appropriate. Both roles is necessary in our digital practices.

6 Mistakes Made By Dentists (And Their IT)

  1. Think that IT has them covered and that ransomware won't happen to me!
  2. Not updating and monitoring computer systems with intrusion prevention/detection.
  3. Don't have a comprehensive backup of all of your data in at least 3 locations.
  4. Don't run backup restore tests regularly.
  5. Don't have a written mandatory cyber security awareness training plan.
  6. Don't have an independent cyber security risk assessment and management plan annually.

Instead,

Take steps to prevent a ransomware attack – including cyber security education for your team, implement good IT systems, complete and comprehensive backup, and an annual cyber security risk assessment preventative digital IT health assessment.

Let Alexio help assess your risk, protect your practice, ensure data recovery, and train your staff.

Protect your investment today.

Get started with a quick on-line self assessment

Book a 30 minute consultation with Anne!

Follow Anne and Alexio on social media for more training and tips

InformationManagers.ca/Likes-Alexio

Anne GengeFeatured Guest: Anne Genge

Alexio Corporation

Anne Genge is a pioneer in protecting health data and those who use it. She is a Certified Information Privacy Professional with a specialization in dentistry. Anne also holds certifications for HIPAA, Credit Card Security, Internet, and Network Security. Ransomware and data theft have changed the face of dentistry in the past decade meaning dentists need a new toolkit for protecting their practices.

With over 20 years of experience, Anne knows the challenges healthcare providers face with technology. She and her team at Alexio Corporation work with dental and medical professionals to minimize data risk and maximize patient care. As healthcare grows increasingly dependent on the digital environment, cyber-security becomes increasingly more difficult. Protection of patient data is not only law, it’s imperative for business success and reputation. Anne simplifies cyber-security for dentists and other healthcare providers and gives ‘real world’ strategies to protect patient information and the practice business.

Be sure to tune in to my interview with Anne Genge,

Ransomware – 6 Deadly Mistakes Made By Dentists (And Their IT) | Episode #082

Listen To The Podcast Here
#PracticeManagementNugget, Alexio, Anne Genge, dentists, healthcare, podcast, ransomware, security risk assessment

Privacy of Health Information, an IFHIMA Global Perspective

Posted on November 12, 2019 by Jean Eaton in Blog

The 19th Congress of IFHIMA, the International Federation of Health Information Management Associations, will feature the release of IFHIMA’s latest whitepaper, “Privacy of Health Information, an IFHIMA Global Perspective.” I’m honoured to be the Chair of the Working Group and one of the authors. After months of work from dedicated HIM professionals and IFHIMA volunteers, I’m tickled pink to be able to share this with you.

Privacy of Health Information, an IFHIMA Global Perspective whitepaper provides a synopsis of current trends in privacy in healthcare around the globe, discusses the role of HIM professionals in privacy, and offers more detailed perspectives through case studies from Australia, the European Union, India, Qatar, the Republic of Korea (South Korea), and the USA.

Health Information Management (HIM) professionals have transitioned from their traditional role of health records custodian to data stewards and information privacy advocates and have an opportunity to take a leadership role with regard to the privacy of health information.

This privacy paper includes discussion on

  • Global privacy trends
  • What is personal information?
  • Privacy and trust
  • Challenges in maintaining trust when technology moves faster than regulations
  • Privacy stewardship foundations, including the role of the privacy/compliance officer
  • Avoiding risks, harm, and breaches
  • The complexity of breach notifications
  • How technology impacts privacy

After a thorough discussion, the paper also suggests several actionable steps that anyone can implement and discuss with their teams. Privacy is a team effort, but it requires a strong, trusted leader who can be the voice of clarity and transparency for patients, consumers, and regulators — all while building consensus.

These steps include:

  1. Get involved as privacy regulations are developed
  2. Assess what the regulations may mean to your organization
  3. Communicate your insight to the team, leadership, and regulatory bodies
  4. Identify required changes to systems, processes, and technologies
  5. Train your teams, admins, and patients about their privacy rights and responsibilities
  6. Commit to ongoing professional growth to stay abreast of the changing landscape

Privacy regulations that bring together emerging technology, healthcare processes and individual rights should take a pragmatic approach with consideration to future health information technology solutions such as telemedicine, Internet of Things and big data.

 

HIM professionals, in our role as stewards of health data, should be the voice of clarity and transparency for patients, consumers, and regulators. #IFHIMAClick to Tweet

6 Case Studies

The whitepaper includes observations and commentary about the status of privacy projects around the world, including the following case studies

  • My Health Record – The Australian Experience
  • General Data Protection Regulation of the European Union Reaches Far Beyond Europe
  • Health Care Privacy: An Indian Scenario
  • Developing a Global Standard for Health Information Privacy Workforce Education – A Republic of Korea (South Korea) Case Study
  • Health Information Exchange Implementation – Qatar, HIE Consent Model for Privacy Concerns – Privacy Regulatory Framework
  • Laying the Foundation for Privacy Practice and Compliance in the Outpatient Setting: Policies and Procedures. Download the Privacy of Health Information

This whitepaper will aid anyone tasked with planning for increased data sharing while trying to manage healthcare privacy. Ministers or Department of Health staff, privacy and data governance consultants, vendors, and health systems should find it especially helpful. Whether you are from a nation crafting its initial privacy regulations, or a nation revising insufficient policies, the information is relevant and enlightening.

I’d like to express my appreciation for the hundreds of hours of work contributed by this exemplary group of volunteers, including

Lorraine Fernandes

Angelika Haendel

Jenny Gilder

Mujeeb C. Kandy

Ok Nam Kim

Dr. Sabu Karakka Mandapam

Veronica Miller Richards

Dorinda M. Sattler

Dr. Rajesh Kumar Sinha

Selvakumar Swamy

Christopher Wilde

 

Click here to Register and receive this whitepaper and IFHIMA Global News, published three times per year.

 

Privacy of Health Information, an IFHIMA Global Perspective
#IFHIMA, healthcare, privacy, whitepaper

Recent Privacy Breach Convictions Under Alberta’s Health Information Act

Posted on October 15, 2019 by Jean Eaton in Blog

In August 2018, Alberta proclaimed amendments to the Health Information Act (HIA) that requires healthcare providers (custodians) to report a privacy breach with a risk of significant harm to the Office of the Information and Privacy Commissioner (OIPC), the Ministry of Health of Alberta, and of course, to patients affected by the privacy breach.

This requirement that custodians must report a privacy breach to the to the OIPC has resulted in a huge increase in the number of reported privacy breaches in healthcare.

Custodians includes healthcare providers like physicians, pharmacists, chiropractors, dentists, optometrists, registered nurses, health authorities, and more

This is not unexpected. We in healthcare know that there are many privacy breaches that happen everyday. Many of these breaches are honest mistakes. However, an increasing number are intentional, malicious actions intended to harm others.

The benefit of having these breaches reported to a regulator is to improve compliance to reasonable safeguards to protect the health information of Alberta residents. And, as a result, more custodians and affiliates (people that work for a custodian) are being held accountable under the HIA legislation to ensure that they are meeting the reasonable safeguards.

In the first year of mandatory privacy breach notification, the OIPC has received over 1,000 reports. Previously, when privacy breach reporting was discretionary, the OIPC received an average of 130 voluntary reports of privacy breaches annually.

​

What Happens When A Privacy Breach Is Reported To The OIPC

When a privacy breach is reported to the OIPC, the OIPC will review the report and consider the custodian’s determination if a reasonable risk to the patient(s) was present. The OIPC will review the report and consider:

  • agree (or not) with the determination of risk of harm
  • was the patient notified appropriately
  • is there an offence under the HIA
  • is an investigation warranted

If an investigation is indicated, the OIPC will conduct the investigation and report their findings to the Crown prosecutors at Alberta Justice. The Crown will determine if it will continue to press charges under the HIA.

Under the recent amendments to the HIA a custodian or an affiliate or both could if found guilty of an offence is liable for a fine anywhere between $2,000 to $500,000 depending on the circumstances and the nature of the offense. Other sanctions may also be applied by the court.

It takes time to report a privacy breach, have it reviewed and investigated by the OIPC and the Crown, and have individuals charged and appear in court.

We are now starting to see the first cases charged after the August 2018 amendments coming to court and privacy breach convictions under the HIA.

Unauthorized Access By Employees

During a routine internal audit of health records in the Alberta Public Laboratories clinical lab at the Red Deer Regional Hospital identified unauthorized access by lab employees. These breaches were first identified by the hospital during a routine audit of their electronic record systems. The internal investigation between December 2018 and May 2019 identified 2,158 patient records were accessed. Alberta Health Services reported that 30 staff were involved in these breaches and three staff are no longer employed by the lab.

Do you do routine audits? Here’s how.

There have been three recent decisions in from the Alberta provincial courts as a result of mandatory privacy breach reporting legislation.

Suspicious Activity Leads to Investigation And Charges

In June 2018, Alberta Health Services (AHS) received reports of suspicious activity by a billing clerk in Red Deer. An internal audit and investigation indicated that the clerk accessed the health records of 52 Albertans without authorization. AHS reported the breaches to the OIPC in June 2018.

The OIPC opened an offence investigation and referred its findings to the Specialized Prosecutions Branch of Alberta Justice. Charges were laid in July 2019. The former AHS billing clerk received a $5,000 fine on August 2019 and was ordered not to access health information for one year.

Snooping By A Clinic Employee

In another case, an Edmonton medical clinic employee was fined after pleading guilty to health data breach. The employee knowingly accessed health information of two people and made suspicious statements to the two individuals about their personal medical details. The individuals then requested access to the audit logs and the provincial electronic health record system, Alberta Netcare.

The individuals reported a complaint to the OIPC at which point the OIPC conducted an investigation.

The employee was charged in March 2019 and plead guilty in provincial court on September 26, 2019. She was fined $3,500 and ordered to pay a victim surcharge of $525.

Are Your Employees Privacy Aware? Start now!

Unauthorized Access By A Billing Clerk

On September 30, 2019 in Red Deer Provincial Court a billing clerk with Alberta Health Services was fined $8,000 for illegally accessing health records. The clerk opened health records of 81 people over 4,7471 occasions without authorization from his employer and custodian. The court also added the following conditions

  • 1-year probation
  • order to attend treatment and counselling and
  • not be employed in a position that allows him access to health information for 1 year

We will continue to see investigations under the HIA at appearing in our courts. The OIPC is currently investigating over 20 incidents and has flagged 70 more as potential offences.

Each of these incidents involved employees making poor choices about accessing patient health information. Reasonable prevention steps include privacy awareness training for every employee, healthcare provider, and contractor. In addition, every healthcare practice should be, monitoring access to records with routine audits and applying sanctions.

We obviously don’t speak often enough about what is acceptable, appropriate, and authorized access to patient’s health information.

Preventing a privacy breach is always less expensive than managing a privacy breach.

A privacy breach management plan will help you to prevent a breach and, when a breach happens, identify a privacy breach early to limit the risk of harm, size, and the cost of the breach.

 

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE 15 Minute Training Video "Can You Spot the Privacy Breach?"

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Not sure what is considered a privacy breach? See When is a Privacy Breach a Privacy Breach?

 

References

CBC News. Investigation finds improper access to patient records at Red Deer hospital. Posted: Oct 04, 2019 12:48 PM MT | Last Updated: October 4 https://www.cbc.ca/news/canada/edmonton/red-deer-patient-records-breach-1.5309419

CBC News. Edmonton medical clinic employee fined after admitting to health data breaches. Posted: Oct 03, 2019 10:56 AM MT | Last Updated: October 3 https://www.cbc.ca/news/canada/edmonton/health-information-alberta-access-1.5307453

CBC News. AHS billing clerk fined $8,000 for illegally accessing health records Posted: Oct 09, 2019 10:47 AM MT | Last Updated: October 9. https://www.cbc.ca/news/canada/edmonton/ahs-billing-clerk-fined-8-000-for-illegally-accessing-health-records-1.5314783

CBC News. Jennifer Lee. Reports of health-care privacy breaches spike in Alberta. Posted: Oct 11, 2019 5:00 AM. https://www.cbc.ca/news/canada/calgary/health-care-privacy-breaches-spike-alberta-1.5316230

clinic, custodian, health, Health Information Act, healthcare, HIA, mandatory privacy breach notification, medical, physicians, privcy breach, reasonable safeguards

Healthcare Policies And Procedures: Essential in EVERY practice

Posted on October 8, 2019 by Jean Eaton in Blog

Policies and Procedures: What Are They and Why Do Healthcare Practices Need Them?

 

Policies and procedures are essential tools in EVERY healthcare practice.

We use written policies and procedures to ensure consistent office procedures and good communication between team members, but it doesn’t stop there.

Before we get to the many benefits of healthcare policies and procedures, let’s cover exactly what these terms mean.

Policies and procedures defined

For our purposes today, this is what we mean by these terms:

Policy: A set of ideas or plans that is used as a basis for making decisions.

Procedure: A fixed, step-by-step sequence of activities or course of action.

Both policies and procedures serve several important purposes in a healthcare practice.

Policies and procedures can help you:

  • Protect your practice with consistency in decision making and implementing routine tasks.
  • Provide team members direction and guidelines; help avoid micromanaging. Here’s more information on how policy and procedure checklists help with employee privacy and security.
  • Ensure quality and cost-effective processes.
  • Well thought out policies and procedures reduce re-work and make for more efficient practices.
  • Encourage team members to work to their full scope of responsibilities.
  • Contribute to compliance, including professional standards, HIA, insurance.
  • Protect your healthcare practice by demonstrating your administrative safeguards.

As powerful and effective as policies and procedures can be, they can also pose certain problems or risks if they’re not implemented properly — or if they don’t exist in the first place.

On that note, if you have policies and procedures in place, it’s also imperative to know where they are. Don’t miss this cautionary tale where I tell you why.

If your policies and procedures are unclear or non-existent, these are some of the risks you expose a healthcare practice to:

  • Fines and even jail time for the healthcare provider
  • Increased conflict and potential for misunderstanding within a practice
  • Increased conflict between employees, misunderstanding, and poor customer service
  • Poor business decisions and wasted time and money

Simply talking about your policies and procedures is not a good business strategy! You need to have clear healthcare policies and procedures in place if you want to reap all of their benefits.

So, let’s go over what makes a good healthcare policy with a clear and effective design.

Policies ask WHY and WHAT

Policies are the steps to put your goals into action — policies are proactive.

The WHY: Why is this policy needed? It is the general guide for decision-making.

The WHAT: What do you want to show for programs, activities, and services?

Each year, policies need to be reviewed and authorized by the clinic manager, privacy officer, healthcare provider and/or owners. Your team members need the opportunity to review and understand the policies regularly, too.

Review policies to assure that they reflect what the clinic is doing and that the clinic is following the written policy. Changes may need to be completed and approved.

Now, let’s cover what makes for good procedures before we get to how to create your manual.

Procedures ask HOW

The HOW: How you plan to carry out the objectives and details listed in your policies?

Your procedures should include sufficient detail so a new employee can complete a task based on the information provided.

We’ve discussed the objectives of your policies and procedures for your healthcare practice, now here are some useful tips for actually creating your policies and procedures manual:

  1. Include screen prints if computer-based.
  2. Include video explanations.
  3. Format the policy and procedures so that each policy or procedure is a separate, stand-alone document.
  4. Assign a NUMBER to each policy and procure to make it easy to reference in your PIA, or direct your staff to review. You can use any numbering system that you want — I usually use a sequential numbering system.
  5. Headings make it easier to group your information which makes it easier for the reader to review and then focus on the details that they need. Repeat the same headings throughout the policies and procedures to provide consistency across the manual. Use the headings as needed; not all policies or procedures need all the headings.
  6. Cite legislative and standards requirements, like the HIA.

When you’re implementing changes to these policies and procedures or creating them in the first place, be sure to involve key parties. This includes:

  • Custodian/trustee/business owner
  • Clinic manager/team lead
  • Privacy officer

Remember, implementing a new procedure or policy successfully must always include training and discussion with your team.

Stay tuned for an upcoming post where we discuss which policies and procedures to include In your healthcare practice and your privacy impact assessment.

​Get the Reliability And Power of Policy and Procedure Templates Without Spending Hours (or Days) Creating Them!

Your healthcare practice needs written policies and procedures to assist you to correctly, efficiently, and confidently collect, use, access, and disclosure of health information so that you can meet your accreditation, privacy impact assessment, and regulatory compliance requirements.

Show Me Policy And Procedure Templates!

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies And Procedures Are?

Why Do You Need Health Information Policies and Procedures?

Safeguards: The What, Why, and How

When Do You Need a PIA Amendment?

When is a Privacy Breach a Privacy Breach?

clinic, custodian, health, Health Information Act, healthcare, HIA, medical, physicians, PIPA, Policies and procedures, Privacy Impact Assessment, reasonable safeguards
‹1234›»

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

I have used Jean Eaton’s Privacy Impact Assessment consulting services on multiple projects at a very reasonable cost. Information Managers also provides a plethora of privacy information, education and training tools for minimal costs. One thing that has helped satisfy the training needs of staff for the PIA is paying for her in service program that is online and staff go through at their own pace while we monitor to ensure completion.

- Luke Brimmage, Executive Director, Aspen Primary Care Network

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2020 Information Managers Ltd.