Do You Have a Password on Your Point of Sale Device? You Should!

Posted on November 30, 2018 by Jean Eaton in Blog

Avoid scams with your credit / debit machine now. Check out this article from CBC news

You can activate a security feature with your credit / debit machine that allows you to create a password before someone can access the administrative controls on your device. In this case, the scammer used a pre-programmed ‘credit card' and inserted it into the point of sale (POS) device. The card is actually a fake “administrative card,” which gives them complete access to the terminal, and allows them to manually enter in an alternative, usually stolen, credit card number.

The scammer walks away without using any of their money for the purchase. And the clinic owner is stuck with the bill.

When the purchase is discovered as fraudulent, the vendor has to pay back to the credit card company whatever the amount that the scammer entered into your POS device.

You will also likely receive a “chargeback” fee from the credit card processor.

Do you know who manages the POS password in your clinic? Who is the back-up person?

Do you maintain the passwords in a secure, corporate, password manager service?

Have you added this to your Health Information Privacy and Security Manual? You should!

clinic, Fraud, healthcare, password, point of sale device

The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

Posted on November 29, 2018 by Jean Eaton in Blog

In order to provide services, healthcare practices must collect pertinent information from patients. This data gathering often includes many sources of information, across different types of technology, among multiple vendors. Good business practices and health records management is supported by three agreements your healthcare must have: information manager agreement (IMA), information sharing agreement (ISA), and successor custodian agreement.

For instance, when a patient attends a clinic, their details are nearly always entered into a computer software program to maintain demographic information, manage patient appointments, and to process payments. Often, health service providers (including physicians, pharmacists, chiropractors, dentists, psychiatrists and more) record their patients’ notes into an electronic medical record (EMR).

Patient information is shared between providers where required. For example, when the patient visits a diagnostic lab for testing, results are often transmitted electronically to the ordering physician’s fax machine or to the EMR.

Custodians including physicians, pharmacists, chiropractors, dentists, and psychiatrists, as defined by the Alberta’s Health Information Act (HIA), must follow HIA legislation when they collect, use, and disclose health information.

Often, custodians are also the owners of independent healthcare practices. However, an owner of a healthcare practice is not the custodian if they are not also an active member of a regulated health profession named as custodians in the HIA.

1. Information Manager Agreement

The HIA allows custodians to contract with other health service providers and vendors for the purposes of providing information management or information technology services, so patients can receive health services, and make payments. This often requires the custodian to share patient information with a vendor (or give them access to) so the vendor can process, store, or provide information as needed.

The custodian selects one or more business to provide the services, equipment, or software to assist in the management of health information. For example: EMR provider, contracted transcriptionist, billing agent, remote backup service, etc. These businesses are known in the HIA as information managers.

Before sharing health information with someone else, the custodian must ensure that the partners and vendors have reasonable safeguards in place to protect sensitive health information. The custodians must ensure that there is a written agreement between the custodian and the information manager. These agreements are known as “Information Manager Agreements.” This requirement is stated in the HIA section 66(2).

The Information Manager Agreement (IMA) is one of three crucial agreements a healthcare practice must have in place.

If You Don’t Have an IMA

If you are a custodian who uses vendors as part of your business and you do not have an IMA with that vendor…

You are in breach of the HIA.
You may incur fines under the HIA.
You may face sanctions and disciplinary actions from your professional regulatory college.
Almost certainly, you will encounter conflicts, poor communication, between yourself and the vendor(s) and the other participating custodians in your practice.
You may lose control of the health information as reported in the Investigation Report H2013-IR-01from the Alberta Office of the Information and Privacy Commissioner (OIPC).

In a press release from the Alberta OIPC in 2013, Information and Privacy Commissioner Jill Clayton noted that:

“The HIA allows custodians to disclose health information to IT service providers, such as EMR vendors, under an appropriate Information Manager Agreement. When custodians do not sign these agreements, they may find themselves in the unfortunate position of losing control over the health information they need to provide health services.”

Investigation Report H2013-IR-01 (https://www.oipc.ab.ca/news-and-events/news-releases/2013/investigation-report-h2013-ir-01.aspx)

Who Must Create the Information Manager Agreement?

The custodian is responsible to ensure that there is an appropriate IMA created and signed.

The information manager can assist the custodian by preparing templates of the IMA including specific details of the services that they will provide and the safeguards that the vendor will implement to protect personal health information.

Key Points About IMAs

A few important notes about IMAs.

IMA must be signed by the custodian.
Agreements signed by individuals who are not custodians are not valid under the HIA.
Custodians are required under the HIA to have an IMA with the vendor before disclosing health information. If there is no agreement in place, the custodian is in breach of the HIA.
Custodians are responsible for the health information that they collect, use, and disclose. Therefore, the custodian is responsible for the IMA and to ensure that the health information will be handled confidently and securely.

Key Points IMA

The custodian can select the best vendor and information manager for the job. The vendor who understands the requirements of the HIA and who can demonstrate that they have implemented the appropriate reasonable safeguards and can assist the custodian to develop an appropriate IMA is, in my opinion, demonstrating a significant competitive advantage.

All healthcare providers in a community practice should spend time when creating their business to establish good business practices, including developing written contracts and agreements to improve the efficiency of the business and to make things happen in the way that they are planned.

Here is a common example

Dr. Alice and Dr. Mark created a welcoming family medical practice in a new sub-division of their city. They each worked hard to attract new patients, hire and train staff, and develop a profitable business.

In the last few years, Alice and Mark had differences of opinion on how to grow their business. In the end, Alice decided that this type of practice wasn’t for her. She decided to leave and join a larger practice in a neighbouring subdivision. Alice wanted to take her patient’s records with her to her new practice and continue to see her patients at the new location.

Mark, who had signed the IMA with the EMR vendor, did not agree to Alice’s request to transfer her patient records to her new group practice.

Alice and Mark argued and eventually involved a professional mediator to help them resolve their business conflict. Hurt feelings between the providers and staff, costly delays in their business and expenses could have been avoided if Alice and Mark had established clear expectations in the event of the termination of their business partnership when they started their group practice. An IMA between custodians in a group practice is a recommended best practice.

When You Have Multiple Custodians in Your Healthcare Practice

When the practice has multiple providers, the owner and custodian frequently assumes responsibility for maintaining the contracts and IMAs with the vendors. Each of the participating healthcare providers may delegate the responsibility of maintaining the vendor arrangements to the custodian owner. This can be achieved with an IMA between the owner / custodian and each participating custodian.

Custodian Owner IMA

Each healthcare provider custodian is considered the custodian of the health information that they collect. The custodians can jointly agree to all use the same EMR. This provides continuity of care for the patients and economy of scale for the participants of the practice.

When the owner/custodian signs the agreement with the EMR, they become the signatory custodian. The EMR vendor takes their instructions from the signatory custodian.

The owner / custodian is now an information manager for all the participating custodians. but does not become a custodian of the health information provided to them in their roles as an information manager.

For example,

Dr. Bill opened his medical practice, ABC Clinic. Later, additional physicians were recruited to work at ABC Clinic. The physicians are each custodians as defined by the HIA.

Dr. Bill assumes the responsibility for the operations of the clinic including the computer network and the contract with the EMR vendor. Dr. Bill is the information manager for the patient records at the clinic.

Each physician signs an IMA with Dr. Bill and agree that he will continue to manage the patient records on their behalf. Dr. Bill is operating as an information manager.

In his role of the information manager, Dr. Bill must follow the instructions from each physician, the custodian, as it relates to the management of their patients’ records.

2. Information Sharing Agreement (ISA)

When you have more than one physician in your practice, you need an agreement about how you will decide to manage the personal health information in your practice.

An Information Sharing Agreement (ISA) focuses on the internal decision making about all things related to personal health information whereas, an IMA is an agreement with a single vendor about the services that the vendor provides.

ISA IMA

An ISA may include things related to the services that a vendor provides but is not limited to just vendor services.

It also includes decisions about the process to ensure appropriate role based access to personal health information in the EMR, computer network, and paper formats; the regular review of health information privacy and security policies and procedures, ensuring privacy and security awareness training, the regular review of administrative, technical, and physical safeguards in the practice, and so on.

In larger organizations or when several smaller organizations participate in an information sharing initiative, a Data Management Committee may provide oversight and facilitate this process.

An ISA is a requirement of the College of Physicians and Surgeons of Alberta.

Identifying a successor custodian is also a requirement of the College of Physicians and Surgeons (CPSA).

3. Successor Custodianship Agreement

As a business owner, you need to plan a successor to the business. This might be an interim or short-term decision to ensure continuity during an absence or future retirement planning or unexpected illness or death.

In healthcare, physicians and custodians have the added responsibility as the ‘gatekeeper’ for patient records. In the event of a sudden inability to meet these responsibilities, physicians need to identify a successor custodian to ensure appropriate and continued access by patients to their health information for their continuing care and treatment and to ensure that the continuing confidentiality, security, and access to patient records continue to be fulfilled.

Have you identified a successor custodian? Each of the physicians in your group practice should also identify their own successor custodian.

This is a CPSA requirement and should also be included in the Privacy Impact Assessment if you have this information available. See CPSA, Patient Record Retention, s.5:

A regulated member acting as a custodian must designate a successor custodian to ensure the retention and accessibility of patient records in the event the regulated member is unable to continue as custodian. (Reference: Health Information Act Section 35(1)(q)

If you are a chiropractor, the Alberta College and Association of Chiropractors (ACAC) further requires its members to name a chiropractor as the successor custodian to maintain the status of ‘chiropractic’ records. (See the ACAC’s Standards of Practice s5.3 Custodianship of Health Records.)

A chiropractor, as a custodian of health records, is responsible for the care and control of the health records in their practices as required by the Health Information Act of Alberta. A custodian of active chiropractic files must be under the custody or control of an active, registered member of the ACAC.

Note that under the Health Information Act, a chiropractor may disclose files to another custodian who is not a chiropractor, and only a chiropractor may have custody or control of chiropractic files. Chiropractic files disclosed to a non-chiropractor should no longer be considered chiropractic files.

A custodian must implement technical and physical safeguards to protect the confidentiality of the information and privacy of individuals as well as protections against reasonably anticipated threats to the security or integrity of the information. A custodian must also defend against unauthorized uses, disclosures or modifications of the information. Safeguards must be periodically assessed and documented in policies and procedures.

If you are working in an owner/custodian scenario discussed above, clearly identifying a successor custodian becomes imperative. An unplanned absence of the owner / custodian can seriously jeopardize the business and the continuing care and treatment of patients.

The custodian can, but is not required to, name another custodian in the same practice to be their successor. Whatever your decision, ensure that this is well documented and easily accessible to the other custodians and key decision makers in your organization in the event of an emergency.

The best time to create IMA, ISA, and Successor Custodianship Agreements is when you start your healthcare business.

The second best time in now.

What are you waiting for?

If you need assistance, contact Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor with Information Managers. I’m here to help you with your Practice Management Success.

Download the FREE Report - Top 3 Agreements Your Healthcare Practice MUST Have

If you are a member of Practice Management Success, login here to access the Top 3 Agreements.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

chiropractors, dentists, health care, Health Information Act, healthcare, HIA, IMA, information management agreement, information manager agreement, information sharing agreement, ISA, medical, physicians, Practice Management Success, successor custodian

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

Posted on September 25, 2018 by Jean Eaton in Blog

You are working at the reception desk of a healthcare practice. Suddenly, there is a police officer or court officer giving you a court order to produce patient records!

Don’t Panic!

In this month’s Q&A with Jean, we discussed how to prepare patient records for a court order with confidence!

Now, just a reminder, I’m not a lawyer and I don’t play one on TV. These are my recommendations based on my experience as a director of health records in hospitals in Canada, as a court reporter, and as a mentor to clinic managers in independent healthcare practices and not legal advice.

Follow These Steps

In this article, I am not discussing a situation which relates to a life-threatening situation that requires an immediate response. I am also not discussing when order relates to the type or quality of healthcare provided to the patient or when the actions of the healthcare provider or clinic is being challenged or reviewed. These are topics for a different article.

Your reception staff should not accept the court order but, instead, immediately ask the officer to wait for a few minutes so that they can request their supervisor or privacy officer to meet with them.

When the court order is an administrative request for information, the supervisor or privacy officer will accept the court order from the officer. Before the officer leaves, make sure that you read the court order carefully and ensure:

Who is named in the court order often the clinic manager of the clinic. Your clinic should be specifically named or, perhaps, the name of your lead physician or healthcare provider.
Record the date and time that you received the order.
Clarify when the response is required.
The name and the contact person of the officer that delivered the court order (if possible) or, at minimum, the contact information of the court, for example, the court clerk’s office or the witness co-ordinator, or the sheriff’s office is included on the court order.
The province or jurisdiction of the court. Generally, it should be the same province where your clinic operates. If not, contact your lawyer for advice on how to respond.

Review Your Policies and Procedures

This is not a routine request from a patient to access their health records or a request to disclose their records to a third party like a lawyer or insurance company. In those routine requests, patients routinely require to provide a written, signed consent before you can disclose their records.

When you receive a court order or subpoena to produce patient records at a court or other legal proceeding, you are not required to get a signed consent from the patient.

Each healthcare practice should have detailed policies and procedures on how to prepare patient records for a court order. Review these now.

If you don’t have up-to-date policies and procedures, see the Practice Management Success Tip, How to Prepare Patient Records for a Court Order.

Validate the Court Order

Read the court order carefully. In particular,

Phone the contact number on the court order.
Confirm the date, time, and location that you are required to appear.

Locate the Patient Record

Find the patient information maintained in an electronic database, electronic medical record (EMR) and/or paper records. Remember to look for both active and inactive patient records as needed by the court order.

Read the patient record carefully, line by line, to ensure that the record is complete. For example, make sure that all lab reports, prescriptions, consultation notes, etc. are included in the record.

Secure the record to prevent snooping or modification to the record. Also ensure that the record is available for continuing care and treatment of the patient, if needed.

In an electronic record, prepare an audit log of all the transactions on that patients’ chart.

Ensure there is no duplicate or second chart for the patient that may have been created in error. Search by alternate names, spellings, date of birth, etc.

Ensure that each custodian included in the patients’ care and your healthcare practice’s privacy officer is informed of the court order to produce the record. The custodian should be provided an opportunity to review their clinic notes. Remind the custodian that they cannot further disclose the patient's record.

Prepare the Patient Record

Review the court order and identify exactly what information is requested. It might be for specific dates or a condition or treatment.

Keep complete and detailed notes about how you prepared your response to the court order. You will bring your notes with you to court to assist you in your testimony about how your clinic creates and maintains patient records and what you did to respond to the court order. After your court appearance, you will maintain your notes as part of the business records for the clinic.

Collect the information and record each of your steps and your results, including the records that you searched for and did not find any results.

If you maintain your patient records in an electronic medical record (EMR) or digital practice management software, print out a hard copy of all the information that responds to the information that is requested.

Sever (also known as redact or black-line) any information that is not appropriate to include in the disclosure. Cross-reference each redacted entry to the legal authority not to include the information in the disclosure.

If you are using an EMR, organize the paper print-out in a format that makes sense. This might be chronological date order, or group like records (clinic notes, lab results, etc.) together.

Create a ‘Table of Contents’ of the information in the patient record. This will help you in your testimony to quickly find requested information, help the court to locate information in the records that you have prepared.

At the same time, handwrite in ink at the bottom of each page the sequential page number in the package. Update the table of contents with the page numbers.

Stamp ‘COPY’ on each page.

When the package is complete, make a photocopy (or two) of the entire package. The ‘original’ paper copy will be maintained at the clinic. Bring the original and the copy to court and ask the court to accept your copy. Return the original package to the clinic and securely maintain this as part of the business records of the clinic until the court file is complete.

When You Attend At Court

As the clinic manager, your role at the court is to tell the court how patient information is collected and maintained in your healthcare practice. Your job is not to interpret the content of the clinic notes.

A few days prior to the court date indicated on the court order, phone the clerk’s office or witness support office to confirm the date, time, and location of the proceedings and if you are still required to attend.

On the day of the proceedings, report to the clerk of the court.

Bring with you the court order, your photo ID, the patient record, and your notes. Bring a good book to read in case you have a long wait.

You will be advised (again) if you are required that day. If you are not required, the clerk will make a notation on your court order to appear that you attended and that you have been dismissed. Keep this in your business records with the patient record.

If your testimony and the patient records are required, you will be called as a witness during the court proceeding.

You will be asked to swear or affirm an oath to speak honestly during your testimony.

Typical questions that you should be prepared to answer include:

Your name.
Your role at the clinic, how long you have been in that role, your routine tasks and responsibilities at the clinic.
Describe how patient records are maintained. Be prepared to explain your EMR or computer patient management system (if you have one).
Bring your notes about the steps that took to prepare for the court order. You may ask permission of the court to refer to your notes that you created when preparing to respond to the court order during your testimony, if necessary.
Explain that the patient records are kept electronically and that you have prepared a paper print-out of those notes.
Be prepared to explain how you know that the records are complete, not missing any details, etc.
If the court asks you to enter the records into evidence, explain that you have an ‘original’ and a ‘copy’ and ask the court to accept the ‘copy’ into evidence.

When You Return to the Clinic

Complete your notes by documenting your day at the court. Write a short summary of your day including:

Did you give a copy of the patient records to the court? To whom?
Remember to add this notation to the patients’ record that you disclosed this information according to the court order.
Any follow-up required for this disclosure?
Review your procedures. Anything that you would edit or provide additional instructions that will help you to be better prepared for next time you receive a court order?
Submit a copy of your out of pocket expenses (parking receipts, meals, etc.) for re-imbursement by your employer, if applicable.

What You Should Do Now

Review your policies and procedures now to ensure that it includes how to respond to a court order.
Train your reception staff on what to do if they receive a court order.
Train your privacy officer and clinic manager on how to prepare a patient record for a court order.

Depending on where you work, you may receive a court order regularly or it might be a once-in-a-career experience. When you have policies and procedures and a little bit of training to assist you, you can respond to a court order calmly and confidently.

If you are a member of Practice Management Success, login and access the ’Procedure: Preparing Patient Records for a Court Order’ template and the replay of the tutorial video.

Download the FREE eBook - Preparing Patient Records for a Court Order Now!

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

court order patient records, health care, health records, healthcare, medical, Practice Management Success, subpoena to produce patient records, template procedure

New Mandatory Privacy Breach Notification Form

Posted on September 13, 2018 by Jean Eaton in Blog

AS of August 31, 2018, the new Alberta regulations regarding mandatory privacy breach notification requirements are in force.

The Alberta Minister of Health (MOH) and the Office of the Information and Privacy Commissioner (OIPC) have published the mandatory notification forms for you to submit your privacy breach notifications.

You can download the forms here:

Notification to Alberta’s Minister of Health: http://www.health.alberta.ca/about/Health-Information-Act.html

Notification to the OIPC: https://www.oipc.ab.ca/forms.aspx

You Will Be FINED $50,000 if You Don't Do This!

If you don’t have an active privacy breach management program and are not compliant with mandatory privacy breach notification, you may be fined up to $50,000.

I recommend that you also use an internal privacy breach reporting form to document your investigation and reporting. The form will help you to navigate the privacy breach management process and record information for your internal use. You can then copy and paste the necessary information to the mandatory notification forms.

If you are a member of Practice Management Success, login and access the Procedure Privacy Breach Management Template including the Privacy Breach Report Form.

Not a member of Practice Management Success, yet?

What are you waiting for?

Get Your Practice Management Success membership

If you are a member of the 4 Step Response Plan, login and access my video and review of how to use the MOH and the OIPC forms.

What You Should Do Now

Update your current privacy breach reporting policies and procedures with the new requirements for mandatory privacy breach notification.
Include copies of these new forms in your procedures so that you can easily access them when needed.
Ensure that your custodians are aware of the new mandatory privacy beach notification regulations. You can share the e-book, Understanding Privacy Breach Notification, to assist you.

Additional Resources

Alberta Health has also added a new chapter, Duty to Notify, to their HIA Guidelines Manual. You can download this chapter here. This provides additional examples of privacy breaches and appropriate responses including comments from OIPC investigations.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

Alberta, Canada, health care, healthcare, mandatory breach notification, mandatory privacy breach notification, medical, Practice Management Success

Can You Use Text Messaging With Patients?

Posted on September 6, 2018 by Jean Eaton in Blog

Have you ever said…

“If only I had someone to ask!”

Each month, we discuss your questions about practice management, human resources issues, clinic management best practices, procedures, resources, practical privacy tips, and more in Practice Management Success membership.

In this Q&A, we're talking about:

Can you use text messaging with patients?

The short answer is, ‘Yes’.

The longer answer is ‘Yes, but . . . make sure that you are really clear about why you want to use text messaging, carefully plan the implementation and monitor its use.’

What is the Purpose for Texting?

Clinics are feeling pressured to provide texting as a communication option to their patients.

It is important to be clear about why you want to use texting.

Texting from the Patient to the Clinic

What is the primary purpose for patients to text the clinic? It may be because they are in a remote community and texting is the only way to keep in touch with their healthcare provider. You might choose to accept text messages for appointment requests or continuing care and treatment.

Texting is generally not a secure communication method. It is difficult to confirm the identity of both the sender and receiver which can result in both communication and medical error.

It is difficult to communicate clearly using text short form and emoji!

What Are the Risks?

As the custodian, you need to weigh the risks of using texting vs not using texting. For example, if your work includes assisting people who are in crisis or are otherwise at risk, you may decide that the risk to the patient who has access to their healthcare provider using unsecured text messaging is less of a risk than the patient who experiences a critical incident and does not have other access to their healthcare provider.

You must decide what are the acceptable risks and appropriate use of text messaging.

I find that creating scenarios is a good way to do help you set up your boundaries. In what situations is using text messaging OK? In what scenarios is it not appropriate to use text messaging? Are there alternative technologies that can better, and more securely, meet these needs?

Record your reasons about what you will – and what you won’t – accept in your text messaging solution as part of your project documentation and implementation training.

text messaging risks

Workflow When You Receive Text Messages from the Patient

Consider how you will document the communication from your patient into the patient’s health record.

Is the device to receive the text message registered with the clinic?
Who will receive the text message from the patient?
How will you transpose that meaningful communication with the patient to the patients’ health record?

Be guided by the discussions in your team and with your patients to develop your policies and risk mitigation plans.

Texting From the Clinic to the Patient

Is your goal of a text solution to automate a workflow like routine appointment reminders? Or, perhaps, some episodic messaging like offering follow up appointments to discuss test results?

Authorization

Remember that the custodian (physician, pharmacist, dentist, dental hygienist, chiropractor, and more) assumes the risk of using unsecure technology. You can’t transfer the risk to the patient. However, you can mitigate the risk of error and unauthorized use of the health information by creating rules for use and ensuring that the patient understands:

how the technology is used,
your offer to use the technology in your healthcare practice,
the risks to the patient’s privacy and security of their personal information,
the patients’ role to prevent misuse of their personal health information, and
an agreement to follow the rules about the technology solution.

If you are a member of Practice Management Success, click here to access the sample authorization agreement.

Mitigation strategies

Alternate Technology Solutions

There are some third party vendors that can help you with routine text messaging with your patients. Wherever possible, use two factor authentication. For example, you might have a system where the patient must enter a PIN number before they can read the entire message from the clinic.

There are trusted technology solutions that you can use for text messaging. Many EMR providers now allow the clinic to text message your patients right from the EMR or patients can access the EMR using a patient portal. This is, by far, the most efficient workflow. It is usually the most secure technology and integrates the communication into the patients’ health record without copying and pasting, uploading, or re-typing into the patient record.

Microquest’s Healthquest EMR, for example, offers integrated appointment reminders via email, text, or voice messaging. Clinics can also allow patients to book their own appointments online with an online calendar integrated to the clinic’s Healthquest EMR.

Alternate third party texting solutions from trusted vendors that we have interviewed on our podcast, Practice Management Nuggets for Your Healthcare Practice, include Bleen and ezReferral.

Bleen is a third party patient appointment management application that allows patients to register with your clinic to receive appointment reminders by text message or phone call. The system also provides a self-help solution to patients to schedule their own appointment with their healthcare providers.

Clients with Bleen have seen dramatic changes in their patient management resources – reducing 40% to 60% of phone calls and 75% of no shows.

Click here to listen to the Practice Management Nuggets interview with Chris Narine and Robert Cove of Bleen.

ezReferral provides a third party referral management application that improves communication between the patient and the referring and consulting providers. The system saves an average of 60 minutes of staff time for each referral and improves the patients’ access to health care in a timely, efficient manner. It also includes a built-in secure fax solution.

This solution is ideal for healthcare practices with referrals within the medical community and even better when you are working with multidisciplinary referral teams. ezReferral works well for both paper based and electronic medical record based practices.

Click here to listen to the Practice Management Nuggets interview with Dr. Denis Vincent of ezReferral.

Privacy Impact Assessment

Before you implement a text solution to your practice you need to update your privacy impact assessment (PIA) or prepare a new, project based PIA. This doesn't have to be a big undertaking but it is really important that you take the time to design and document your application and implementation.

Privacy Impact Assessment

If you need some help with your PIA, I encourage you to take a look at our on-line e-course, Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments.

Efficient work flow, clear procedures, and rules of use authorization with your patients improves the likelihood that text messages will be used the way that you intended. However, these practices does not make the technology breach-proof. Carefully consider the merits of text messaging and how you can mitigate the risks before implementing text messaging in your healthcare practice.

Tell me more about PIA's

Download the FREE Report - Can You Use Text Messaging with Patients?

If you are a member of Practice Management Success, login and access the webinar replay, and the patient authorization form template.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security expecially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

health care, healthcare, medical texting, Practice Management Success, Text messaging with patients, texting patients, texting with patients

Do Your Patients Know Your Office Holiday Hours?

Posted on August 27, 2018 by Jean Eaton in Blog

Holiday hours are great opportunities to easily create social media content for your healthcare practice–let your patients know about changes to your office holiday hours.

The Easy Way to Add Content to Your Social Media

One of the most frequent question that every office receives is – what are your office hours?

It makes sense to share this information in an automated way. This saves time in the telephone queue and makes everyone's day a little smoother. Add the information to your telephone answering system messages, website, posters in your clinic, and in your social media channels.

Common social media channels include Facebook, Twitter, and Instagram.

When the content appears in your social media channel, your patients will expect regular updates from you around each holiday and will return to your social media channel again and again over the year.

Let your patients know about changes to your office holiday hours!

Encourage your patients to visit your social media over and over again!
Easy for you to add content that your patients want to see.
No new technology for you to learn – copy and paste!

There is a simple way to create this content.

Follow these steps:

1. Select Your Images

You can use any related image and size it to print and display in your clinic or your social media channel.

2. Add Your Logo

You could use an image without adding your branding. But, for more impact, I recommend that you take just a few minutes and use a photo editing software to add your clinic name and logo to the image. You want the reader to know which clinic the image is about! This is also a good way to continue branding for your clinic.

There are many free and easy photo editing software systems. I like to use Canva.

Once your images are edited, download them to your computer network system.

3. Prepare Your Social Media Content

Working with your authorized social media manager, confirm your holiday hours and related messages.

Sample message that you will type into the new social media post.

Happy Easter from all of us at ABC Clinic!

Please note we will be closed Monday March xx to March xx.

We will be back to regular office hours on Tuesday.

For our latest hours of operation, please visit our website [insert website address].

4. Save Your Files

Keep a copy of your images and your social media messages for use next year.

You might store the images and your notes on a shared folder on your computer network. For example,

Social Media >> Holiday Announcements >> Month Holiday

5. Publish Your Holiday Announcements

Add your images and the messages to your website and social media channels.

Let Me Make This Easier For You!

I've found images that you can use for your office holiday hours messages.

Download the FREE Holiday Hour Templates

and receive 10 images that you can use all year long!

template

Get the Free Statutory Holidays Images Templates

Would you like more tips like this?

Members of Practice Management Success Membership enjoy access to Tips, tools, templates and training to help you start, grow, fix, or maintain your healthcare practice!

Membership is open to all healthcare practices of any size – physicians, optometrists, audiologists, dentists, chiropractors, physiotherapists, nurse practitioners, and more!

Member access to online resources when you need it along with networking and support from other clinic managers, practice managers, and healthcare providers in independent community practices – just like you!

Learn More About Practice Management Success

clinic management, facebook, healthcare, holiday hours template, medical, practice management, social media images

How Will Mandatory Privacy Breach Reporting Affect You?

Posted on July 24, 2018 by Jean Eaton in Blog, PMN Upcoming

Mandatory Privacy Breach Reporting is Coming to Alberta!

Do you know how this will affect your healthcare practice?

. . then this free webinar is for you!

If you are a custodian–including physicians, optometrists, pharmacists, dentists, dental hygienists, chiropractors, nurse practitioners, podiatrists, midwives, optometrists, opticians, and more!–as defined by Alberta's Health Information Act, then . . then this free webinar is for you!

You need to know how mandatory privacy breach reporting will affect you!

In this Free Webinar, Jean L. Eaton, Your Practical Privacy Coach will explain

what is a privacy breach
why a privacy breach is a significant problem
why have mandatory privacy breach reporting
offence and penalty provisions of the HIA
privacy breach notification requirements
what you need to do before August 31, 2018

Join us for this Free webinar

Recorded LIVE Thursday July 26, 2018

Register NOW to get immediate access to the replay and valuable resources to help you prevent privacy breach pain!

. . . available for a limited time!

Register for the FREE Live Webinar Replay!

Check your email for the link to the webinar!

You will also benefit from receiving notices about upcoming events on Privacy Nuggets and similar announcements.

We don't sell or share your personal information. Ever.

Jean L Eaton, Your Practical Privacy Coach with Information Managers Ltd.

“When we know better, we can we do better.”

As an employer and health care provider, you are responsible to provide training to all of your employees about privacy awareness. Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information.

I am constructively obsessive about privacy and confidentiality in the healthcare sector–and I think you should be, too!

I help primary care practice managers and health care providers properly manage the risk of a privacy breach, stay out of jail, avoid fines AND keep an efficient practice!

Jean L. Eaton, Your Practical Privacy Coach Information Managers Ltd.

#PracticeManagementNuggets, amendment, health care, healthcare, mandatory privacy breach reporting, medical, privacy breach, privacy breach notification, Privacy Impact Assessment

A Privacy Impact Assessment is Easy – When You Start With a Good Plan!

Posted on July 5, 2018 by Jean Eaton in PMN Live

Do you need a PIA? or a PIA amendment?

If you are a healthcare provider or clinic manager and are not sure if you need a Privacy Impact Assessment . . . then this 30 minute free webinar is for you!

If you are a custodian–including physicians, optometrists, dentists, chiropractors, nurse practitioners, podiatrists, and more!–as defined by Alberta's Health Information Act, then you probably need a PIA.

Jean L. Eaton, Your Practical Privacy Coach will explain

what a PIA is,
why you need it, and
how to start planning to prepare a PIA.

Click the arrow >> below to play the video

“When we know better, we can we do better.”

As an employer and health care provider, you are responsible to provide training to all of your employees about privacy awareness. Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information.

I am constructively obsessive about privacy and confidentiality in the healthcare sector–and I think you should be, too! I designed this course to assist healthcare providers, clinic managers, practice managers, privacy officers and independent healthcare practice owners provide practical privacy awareness training that was easy to implement, consistent content, cost-effective and meaningful to your day-to-day business.

When each member of your independent healthcare practice completes this privacy awareness course, you will have clearer expectations and confidence that your team will maintain the privacy, confidentiality and security of your patient’s health information. Give your patients the gift of privacy. Improve your healthcare practice with privacy awareness education.

Jean L. Eaton, Your Practical Privacy Coach Information Managers Ltd.

#PracticeManagementNuggets, amendment, health care, healthcare, medical, Privacy Impact Assessment

A Privacy Impact Assessment is Easy – When You Start With a Good Plan!

Posted on July 5, 2018 by Jean Eaton in Blog, PMN Replay, Practice Management Nugget Interview

Do you need a PIA? or a PIA amendment?

If you are a healthcare provider or clinic manager and are not sure if you need a Privacy Impact Assessment . . . then this 30 minute free webinar is for you!

If you are a custodian–including physicians, optometrists, dentists, chiropractors, nurse practitioners, podiatrists, and more!–as defined by Alberta's Health Information Act, then you probably need a PIA.

Jean L. Eaton, Your Practical Privacy Coach will explain

what a PIA is,
why you need it, and
how to start planning to prepare a PIA.

Join us for this 30-minute interactive webinar

LIVE Thursday July 5, 2018

12 Noon MDT

The replay is ready! Register for the FREE 30 minute Webinar recorded live!

Check your email for the link to the webinar!

You will also benefit from receiving notices about upcoming events on Practice Management Nuggets Webinars for Your Healthcare Practice and similar announcements.

We don't sell or share your personal information. Ever.

“When we know better, we can we do better.”

As an employer and health care provider, you are responsible to provide training to all of your employees about privacy awareness. Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information.

I am constructively obsessive about privacy and confidentiality in the healthcare sector–and I think you should be, too! I designed this course to assist healthcare providers, clinic managers, practice managers, privacy officers and independent healthcare practice owners provide practical privacy awareness training that was easy to implement, consistent content, cost-effective and meaningful to your day-to-day business.

When each member of your independent healthcare practice completes this privacy awareness course, you will have clearer expectations and confidence that your team will maintain the privacy, confidentiality and security of your patient’s health information. Give your patients the gift of privacy. Improve your healthcare practice with privacy awareness education.

Jean L. Eaton, Your Practical Privacy Coach Information Managers Ltd.

#PracticeManagementNuggets, amendment, health care, healthcare, medical, Privacy Impact Assessment

How to Process an Access Request for Security Camera Images

Posted on June 12, 2018 by Jean Eaton in Blog, Uncategorized

Have you ever said… “If only I had someone to ask!”

Each month, we discuss your questions about practice management, human resources issues, clinic management best practices, procedures, resources, practical privacy tips, and more in Practice Management Success membership.

In this Q&A, we're talking about:

How to Process an Access Request for Security Camera Images

A patient has requested access to the video security images at my clinic.

What do I do now?

I have received two inquiries from clients lately about disclosing images from surveillance cameras.

In one situation, there was a patient incident in the patient reception area. The patient requested access to the video footage.

In another situation, a patient was suspected of stealing cash from a staff members’ personal coat pocket. Charges were laid by the police, and the clinic manager was anticipating making the images available to the police if requested.

If you have a security camera in your healthcare practice, you need policies and procedures to control how the images will be used, how to advise your patients and staff that you use security cameras and how you will respond to an access request or security incident.

Here are my tips to help you to prepare your security camera policy.

Security Cameras To Provide Safety and Security

We often choose to implement surveillance cameras to provide safety and security for staff and patients. This is primarily intended to deter theft of equipment and records and to monitor for potentially wrongful and illegal activities by patients, visitors, or employees of the clinic.

Patients, staff, and visitors expect that their privacy and confidentiality will be respected and that the images will be used appropriately. As a custodian, you need a written policy and procedure to ensure good business practices, meet privacy legislation, and ensure that individuals have access to their own information.

Keep The Images for the Least Amount of Time Necessary

Remember that collecting and keeping the least amount of information necessary for the intended purpose is a good privacy practice.

If you have a security incident, you probably will be able to recognize it right away or within a few weeks of the event. Keep only the images that are needed to manage a security incident and delete the remaining images. Keeping all digital images longer than is necessary is not recommended.

Many security systems will over-write the images on a 15 or 30 day cycle.

What To Do If An Incident Occurs

If an incident occurs, the video should be reviewed immediately by the authorized custodian.

If you think that the images will be required in the future, copy the required video to a DVD or other memory device. Store the memory device at a secure, offsite location for at least a one (1) year period under the control of the custodian.

In the event that a patient requests access to their own images or if there is the potential for involvement of other people such as the police, insurance, or the Office of the Information and Privacy Commissioner (OIPC), to access the videos in an investigation of a (suspected) security and privacy breach, take the following steps.

Export the video images from the security system into a video file format and stored to a separate memory device (DVD, USB, etc.)
Transfer the video images to still images, if needed.
Review the images and ‘sever’ to remove or obscure the identities of other individuals in the images.

Access Requests

These recordings probably contain personal information as defined under the Personal Information Protection Act (Alberta) (PIPA).

The patient or client can request access to their own identifying information. Use your your current access and release of information policies to guide you to process this request.

I always prefer to have requests in writing so that I can be certain of the details of the request and can confirm the identity of the requester.

The attending custodian or business owner must authorize the release of the information.

Do you need a Security Camera Privacy Policy template?

Privacy policy templates and other tips, tools, and training for your healthcare practice, become a member of Practice Management Success!

Get Your Practice Management Success membership

access request for CCTV images, Access Request for Security Camera Images, healthcare, policy template, security camera policy template, video surveillance images

1. Information Manager Agreement

If You Don’t Have an IMA

Who Must Create the Information Manager Agreement?

Key Points About IMAs

Here is a common example

When You Have Multiple Custodians in Your Healthcare Practice

2. Information Sharing Agreement (ISA)

3. Successor Custodianship Agreement

When we know better, we can do better…

When we know better, we can do better…

You Will Be FINED $50,000 if You Don't Do This!

Not a member of Practice Management Success, yet?

What You Should Do Now

Additional Resources

When we know better, we can do better…

In this Q&A, we're talking about:

Can you use text messaging with patients?

What is the Purpose for Texting?

Texting from the Patient to the Clinic

What Are the Risks?

Workflow When You Receive Text Messages from the Patient

Texting From the Clinic to the Patient

Authorization

Alternate Technology Solutions

Privacy Impact Assessment

When we know better, we can do better…

The Easy Way to Add Content to Your Social Media

There is a simple way to create this content.

1. Select Your Images

2. Add Your Logo

3. Prepare Your Social Media Content

4. Save Your Files

5. Publish Your Holiday Announcements

Let Me Make This Easier For You!

Download the FREE Holiday Hour Templates

Would you like more tips like this?

Mandatory Privacy Breach Reporting is Coming to Alberta!

You need to know how mandatory privacy breach reporting will affect you!

Join us for this Free webinar

Recorded LIVE Thursday July 26, 2018

Register for the FREE Live Webinar Replay!

Check your email for the link to the webinar!

“When we know better, we can we do better.”

Click To Play

Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments – A Complete Step-by-Step Course

“When we know better, we can we do better.”

Join us for this 30-minute interactive webinar

12 Noon MDT

The replay is ready! Register for the FREE 30 minute Webinar recorded live!

Check your email for the link to the webinar!

“When we know better, we can we do better.”

In this Q&A, we're talking about:

How to Process an Access Request for Security Camera Images

A patient has requested access to the video security images at my clinic.

What do I do now?

Security Cameras To Provide Safety and Security

Keep The Images for the Least Amount of Time Necessary

What To Do If An Incident Occurs

Access Requests

Do you need a Security Camera Privacy Policy template?