Information Managers
  • Home
  • Services
    • All Services
  • Blog
  • Upcoming Events
  • Contact Us
  • Practice Management Success
  • Podcasts

Can You Predict Successful Privacy Awareness Compliance Training?

Posted on June 13, 2019 by Jean Eaton in Blog

Protect your organization and your patients.

Investing in privacy awareness compliance training that is engaging, practical, and easy to access will prevent a privacy breach in your healthcare practice.

But, how do you find the right training?

Look for a strong completion rate.

A high completion rate is the single best predictor of successful privacy awareness compliance training. Most on-line courses have a 6-15% completion rate.

The Privacy Awareness in Healthcare: Essentials program from Corridor Interactive has a completion rate of 95%.

And the investment is only $35 per person.

Give your patients the gift of privacy. Improve your healthcare practice with privacy awareness education.

HURRY! A privacy breach can happen at any time!

 

health care, healthcare, HIA, PHIPA, privacy, privacy awareness compliance training

Are You Drowning in Patient Referrals?

Posted on May 13, 2019 by Jean Eaton in Blog

Are you drowning in patient referrals?

Playing telephone tag with specialists and patients?

Faxing is old technology, a massive time waster, and can be very costly both financially and emotionally when faxes get lost in the system.

In our Practice Management Nugget Webinars for Your Healthcare Practice series on October 12, 2017, I spoke with Dr. Denis Vincent, Physician Founder of ezReferral. There are many things that you can do right away to improve patient referral management.

Dr. Denis Vincent's #1 Tip to improve the patient referral process:

“Find more effective ways to involve and engage the patient in the referral process.”

 

The traditional referral workflow is inefficient

string telephoneUsing phone and fax messages from the referring provider to the consulting provider and back to the referring provider and then to the patient takes time. And every time that the message is transferred, there is a risk that the message is not understood or is lost.

So, we have a tendency to create complicated backup systems to double-check and make sure that none of the steps get missed. Many practices have created a ‘referral binder’ monster – the master referral list for the clinic. This binder is full of post-it notes, tags, and phone messages and reminders to help us make sure that the referral appointment is booked, the patient is notified, and the appropriate follow-up takes place.

Patient Referral BinderEven in practices with an electronic medical record (EMR), we use a paper process to ‘make it easier’ to track patient referrals.

But the binder can only be used by one person at a time and only seen by the people in that office. The patient has no idea about the status of their referral so they phone the office regularly to ask for updates.

Receptionist phoneBut wait! We want to make sure that everyone knows what is happening with the referral. We leave phone messages and voice mail and talk to the patient, the specialist, the referring provider to remind, confirm, and follow-up.

 

Save 60 minutes for each patient referral

Denis Vincent suggests that his family physician office referral coordinator used to spend an average of 75 minutes on each patient referral. That referral cycle can take months just to get to the point where the specialist appoint is confirmed and the patient is notified.

Now, using ezReferral, the entire referral process takes an average of 15 minutes of staff time per patient referral. That is a savings of 60 minutes per referral!

You can do this when you use a synchronous patient referral management system. EzReferral is a secure cloud-based solution that manages the patient referral process with clear real-time communication that the referring provider, specialist provider, and the patient can see at any time.

Multi-disciplinary healthcare team

Multidisciplinary referralezReferral is designed to work with any multi-disciplinary referral pattern in your practice. For example, family physician to specialist physician or any other healthcare provider.

14 days from referral order to confirming appointment. Can you do that?

Starting in January 2017, physicians in Alberta must meet new time frames for acknowledging and responding to referral requests. If you are asked to consult on a patient, you will have:[1]

  • 7 days to acknowledge receipt of the request to the referring healthcare provider.
  • 14 days to let the referring healthcare provider know whether you can accept the referral.
  • 14 days to contact the patient to schedule an appointment or to confirm the status of the referral, if no appointment date has been determined.
  • 30 days to provide the referring healthcare provider with a written report after your first appointment with the patient.
  • Consulting physicians will also need to be reasonably available to respond to referral requests and ensure their process is accessible.
  • Referring physicians will have to make sure they include all pertinent clinical information (including relevant investigation results) and the purpose of the consultation with their request, to enable the consulting physician to determine whether he/she can accept the referral within the mandated 14-day time frame.

([1] College of Physicians and Surgeons of Alberta)

These are good standards to meet for every type of healthcare provider.

You can meet these standards when you use a synchronous patient referral management system. EzReferral is a secure cloud-based solution that manages the patient referral process with clear real-time communication that the referring provider, specialist provider, and the patient can see at any time.

ezReferral Patient Text Message

Patient Benefits

  1. Patient Engagement
  2. Patient Satisfaction
  3. Patient Peace of Mind
  4. Better Patient Care

Referrer Benefits

  1. Happier patients
  2. Reduce workload
  3. Eliminate the “black hole”
  4. Satisfied Staff

Specialist Benefits

  1. Reduced workload
  2. Reduce no-shows
  3. Reduce phone calls
  4. Reduce overhead
  5. Audit trail


Testimonial from Edmonton Eyelids

“Our office has been using ezReferral since July 2016. It’s easy to rave about this powerful communication tool – each referral received through this system takes a fraction of the time required through our faxed referral system, due mainly to the fact that most patients choose to receive referral notifications by text and/or email (thereby eliminating the “middle ground” in which some referrals can get lost). What truly sets ezReferral apart from ANY online interface that I have ever used: the support staff is accessible, proactive, and fast.”

Shawna Sazwan
Edmonton Eyelids

Dr. Vincent has implemented ezReferral in his family practice. I have to admit, I’m blown away with his experience that 95% of the patients choose to receive their notifications by text messaging. That’s much better than I anticipated.

This solution is ideal for healthcare practices with referrals within the medical community and even better when you are working with multidisciplinary referral teams. This works well for both paper based and electronic medical record based practices.

Watch the webinar replay now to see how you can save time, money, while improving the patients’ access to health care in a timely, efficient manner. You will also discover the key steps and timelines to prepare for implementation in your practice.

Practice Management Nugget webinar interview with Denis Vincent  was recorded live on October 12, 2017.

 

Watch the Webinar

 

If you are a member of Practice Management Success, login here and view the webinar replay and access the members-only resources.

#PracticeManagementNuggets, Dr. Denis Vincent, ez Referral, ezReferral, fax, health care, healthcare, medical, patient referral management, practice management, review ezReferral

Privacy Awareness Week 2019

Posted on May 7, 2019 by Jean Eaton in Blog

Privacy Awareness Week (PAW), an initiative of the Asia Pacific Privacy Authorities forum (APPA), is held every year to promote awareness of privacy issues and the importance of protecting personal information. This year, Privacy Awareness Week is celebrated May 6-10, 2019.

Protect Your Organization and Your Patients

Equip your staff with the information they need to confidently and correctly handle personal health information.

Healthcare businesses need privacy awareness training to support key policies, procedures and risk management programs need a privacy awareness training program.

Reasonable Safeguards

As an employer and health care provider, you are responsible to provide training to all of your employees about privacy awareness.

If you don’t provide the training, or if the employees don’t understand the policies and there is a privacy breach, then the healthcare provider is more likely to be held accountable under the legislation and face penalties including fines and even prison!

Patients value the privacy and security of their information.

Healthcare providers and clinic managers value privacy and security, and they value not having adverse results as a lack of compliance or patient safety issues.

Privacy Awareness Quiz

Patients trust their healthcare providers with their sensitive, personal, and financial information.

If patients don’t feel that the healthcare provider will keep their information confidential and secure, patients may choose not to share their information which may impact their healthcare and treatment.

When we are privacy aware, we can better respond to patients’ questions and build their trust in the quality of services that we provide.

Avoid Fines

On August 31, 2018, amendments to the Health Information Act (HIA) came into force that introduce a fine of not less than $200,000 for a person who fails to take reasonable steps in accordance with HIA regulations to maintain safeguards to protect against reasonably anticipated threats to the security of health information (sections 107(1.1)(a) and 107(7)).

SAY NO TO SNOOPING! If an individual affiliate knowingly breaches the privacy and security of health information, and the custodian can demonstrate that reasonable safeguards (including privacy awareness training) were in place, the individual affiliate can be charged under the Health Information Act. Fines of up to $50,000 per may be applied to the individual in addition to other sanctions from their employers and/or their professional regulatory colleges where applicable. (HIA s.107)

What Will You Do To Be More #PrivacyAware?

Join Information Managers for Privacy Awareness Week! May 6-10, 2019. #PrivacyMatters!

Information Managers would like to spread the message of #PrivacyMatters to raise privacy awareness in healthcare everyday.

Share these resources in your healthcare practice to keep privacy top-of-mind and demonstrate your commitment to privacy awareness!

Privacy Awareness in Healthcare: Essentials

 Improve your healthcare practice with privacy awareness education.
#PrivacyAwareness training in healthcare to support key policies, procedures and risk management programs.

Grab this from Corridor Interactive!

Special Privacy Awareness Week Pricing! EXTENDED!

Hurry! Expires soon!

Grab Your Privacy Awareness Training

Download Your Privacy Awareness Quiz!

Common scenarios in healthcare.

Grab Your Quiz

I Heart Privacy! #PrivacyMatters

Print badges for your team.

Or, use the done-for-you sheet of labels that you can print right away and slip into badge holders or print to stickers or labels.

You can even customize the labels and add your business name!

Instant Download Here

Download Your Monthly Privacy and Security Awareness Audit Template

Grab Your Free Privacy and Security Monthly Audit Template
#PrivacyMatters, health, healthcare, privacy awareness, training

How Will Netcare Patient Portal Impact Your Healthcare Practice?

Posted on April 3, 2019 by Jean Eaton in Blog

⇓ ⇓   Click the >> arrow button to play the video!

     

It's Here!

After many long years of waiting, residents of Alberta can now access their personal immunization history, medication history, lab test results, and more in their own MyHealth Records – the patient portal view of Alberta Netcare.

Watch the short video above for my quick review of MyHealth Records.

Alberta Netcare has announced the next step to grant patients access to their own record in Alberta Netcare Portal (ANP).

MyHealth Records

The Alberta Netcare website says that MyHealth Records is a Personal Health Record for Albertans to access some of their health information, such as lab results, medications, and immunizations drawn from Alberta Netcare.  

MyHealth Records also provides access to several health and wellness tools to help track and maintain overall health. (See the complete list of features here.

Alberta Health has announced that the first step for patients to access thier own records is to request your MyAlberta Digital ID (MADI) which will eventually act as your login credentials to the ANP.

If you have not already registered for MADI access you may do so here:  MyAlberta Digital ID.  

You will see 2 options – one for a basic account and one for a verified account. Select the verified account.

You will receive a personal identification number (PIN) in the mail.

When you have a verified account, you can go to your MyAlberta Digital ID account and add a new MyHealth Records access.

You can do this now – no need to wait!

You will (probably) have access to medications dispensed by pharmacists and lab and diagnostic imaging tests results for the last 18 months. Remember, not all test results are available.

You can now also add your own journal entries for your weight, food diary, exercise diary and other tools to help you manage your health.

This is a patient portal into your health information maintained by Alberta Health Services and Alberta Netcare.

The original or ‘source’ data continues to be securely managed in the service providers’ originating electronic systems. The originating systems and their custodians are required to keep the records for the entire records retention period; generally 10 years.

The information in the MyHealth Records portal may only be available to you for 18 months to 2 years. If you choose to add information to your account, I believe that information will be maintained for a limited time (for example, 2 years).

Patient portal

Patient Portals Can Reduce Barriers

The use of  a patient portal can reduce barriers for patients to access their own records. Other benefits to patient portals  may include:  

  • Increased empowerment to patients who can access their own results in a timely fashion
  • Better communication with patients
  • Fewer access requests (and increased administration efficiencies)
  • Fewer missed appointments (and increased access to care)

How Will Patient Portals Affect Your Healthcare Practice?

Will you tell your patients that they can access some of their lab results themselves directly from MyHealth Records?

Let me know your experiences with patient portals and your questions. I really would like to know your thoughts on how portals may impact your healthcare practice.

#digitalhealth, Alberta Netcare Portal, ANP, benefits, health, healthcare, MyHealth Records, Netcare, Patient portals

Does Your Healthcare Practice Need an Information Manager Agreement For Your Shredding Service?

Posted on April 1, 2019 by Jean Eaton in Blog

Q: We are selecting a vendor to look after our shredding. Do we need an information management agreement (IMA)?

A: Yes, you need an information manager agreement (IMA) with your shredding vendor.

Think about all the health information that you have authorized them to manage on your behalf. You certainly want to select a reputable vendor who will pick up the paper and securely transport it to their facility for secure shredding.

The Health Information Act (HIA) allows custodians to contract with other health service providers and vendors for the purposes of providing information management or information technology services, like shredding. This requires the custodian to give the vendor access to the papers with health information so that the vendor can  securely destroy the paper.

The shredding vendor is known under the HIA as an information manager.

The custodian must ensure that the vendor has reasonable safeguards in place to protect the sensitive health information. The custodians must also ensure that there is a written agreement between the custodian and the information manager. These agreements are known as “Information Manager Agreements.” This requirement is stated in the HIA section 66(2).

There are many reputable vendors from which to choose

Some vendors will do the shredding right in your parking lot; others will transport it to their processing facility.

Remember to ask for a certificate of destruction at the completion of the shredding to document the secure destruction of the paper. Some vendors require a witness from the clinic to confirm that the shredding was done securely.

Some vendors can offer a recycling program for the paper after it has been securely shredded.

Ask your shredding vendor for an IMA. This is different than a service agreement where you agree to pay a fee for the shredding service. 

For more information on what is an IMA, see the e-book, Top 3 Agreements Your Healthcare Practice MUST Have (and Why). 

Top 3 Agreements

health, healthcare, information management agreement, information manager agreement, shredding

What is a PIA?

Posted on March 11, 2019 by Jean Eaton in Blog

Have you ever been in a situation where you had a great idea that you wanted to implement and then someone asked you if have a PIA for that?

     
Enter your name and email below to watch the entire video right away! [mc4wp_form id="50026"] By entering your email address above, you are requesting about upcoming training and related resources. You can opt out at any time, and we'll never rent or sell your email address.

Click on the >> arrow above to play the video.

Maybe you wanted to add a new digital health app to make it easier for patients to book appointments with you, or get access to Alberta Netcare Portal, use the internet to get on-line consultations for your patients, or start using a new EMR.

Or maybe you have a new healthcare practice and you are excited about choosing the right location, the right equipment, the right vendors that fit your budget and your goals.

A PIA is a practical business tool in your healthcare practice.

A PIA is an important tool that you can use to help you with that project management.

It will help you anticipate risks to the project before it starts and avoid serious problems, wasted time and money.

The PIA process requires you to have written policies and procedures so that you can implement the project effectively and train your staff consistently. Sometimes a PIA is a requirement of legislation. But it is always a best practice whenever you implement a project that includes personal health information.

Watch the video now to take a look at what is a PIA, what will a PIA do for you, and when you need a PIA. Just click on the image above to play the video.

Would you like more information about Privacy Impact Assessments for your healthcare practice?

By entering your email address above, you are requesting about upcoming training and related resources. You can opt out at any time, and we'll never rent or sell your email address.

health care, Health Information Act, healthcare, HIA, Netcare, PIA, privacy, Privacy Impact Assessment, What is a PIA?, what is a privacy impact assessment

Curiosity Is NOT Need-To-Know

Posted on February 18, 2019 by Jean Eaton in Blog

I am often asked if it is ‘OK’ to look up patients information on Netcare when the patient hasn’t been seen for some time and the care provider wants to know how they are doing.

Let me be clear: If you are not currently providing a health service to the patient in a current episode of care, you must not look up that patient’s information on Netcare or any other EMR or paper system.

The patient has a right to privacy – which means don’t look unless you have a need to know.

Curiosity is not a legitimate need to know. That is snooping!

You Can Use This Privacy Breach Example to Review and Improve Your Practices

Pro-active Auditing Reveals Snooping in Sask eHealth

What Happened

On April 6, 2018, a highway collision occurred involving the hockey team Humboldt Broncos which left 16 dead and 13 injured.

The trustee of the Saskatchewan Electronic Health Record Viewer, eHealth, pro-actively audited their electronic health record system to identify potential unauthorized use of the system by authorized users.

eHealth detected that two physicians and an administrator at the Humboldt Clinic Limited inappropriately accessed the personal health information of two individuals involved in a collision involving the Humboldt Broncos.

The auditing revealed that there were many instances where access was made between April 7 and April 10 to the records of two patients. The records belonged to two individuals who died in the crash on April 6.

The physicians had provided care to the individuals in January of 2018 but were not involved in providing care to them on or about April 6. The physicians’ access was prompted because of their ‘concern’ for the individuals.

[click_to_tweet tweet=”Curiosity is NOT need-to-know! The patient has a right to privacy – which means don’t look unless you have a need to know to provide a current health service to the patient. @InfomanLtd #PrivacyBreach #Privacy #PrivacyBreachNugget” quote=”Curiosity is NOT need-to-know! “]

Clearly, these users of the Viewer were not currently providing care and treatment to the patients.

The access of the Viewer in this example not a legitimate need-to-know under Saskatchewan’s The Health Information Protection Act (HIPA).

eHealth reported these privacy breaches to the Information and Privacy Commissioner (IPC) of Saskatchewan.

4 Step Response Plan

The trustee, eHealth, undertook the first step to respond to a privacy breach by spotting and stopping the breach. The audit identified the breach. Then eHealth contained the breach by suspending or terminating access to the Viewer.

Secondly, eHealth appropriately notified the individuals’ next of kin of the privacy breach.

The third step is to investigate the breach. eHealth notified the IPC of the breach. The clinic, however, did not investigate the cause of the privacy beach.

Preventing a similar breach is the fourth step. The clinic has privacy policies and a privacy training strategy. The eHealth Viewer also has online training for its users.

IPC Recommendations

Subsequent to its investigation, the Saskatchewan IPC observed that the training had not prevented this breach.

The IPA recommended that the clinic provide further training to its employees and contractors on the need-to-know principle. Additionally, the clinic is recommended to document the privacy breaches and the lessons learned to prevent a similar privacy breach.

Reference: Saskatchewan IPC Investigation Report 177-2018, January 29, 2019

Privacy Breach Nuggets You Need to Know

There are many privacy breaches in the news each day. The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain.

Privacy education is more than just having policies and procedures. Demonstrating good practices, regular discussion about examples, and even gamification helps to ensure that all members of your healthcare team understand their roles and responsibilities.

If you need to start or update your privacy breach management program, check out the 4 Step Response Plan; Prevent Privacy Breach Pain.

“When we know better, we can do better”

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

#digitalhealth, clinic, healthcare, HIPA, Humboldt, medical, privacy breach, privacy breach nugget

Do You Have a Password on Your Point of Sale Device? You Should!

Posted on November 30, 2018 by Jean Eaton in Blog

Avoid scams with your credit / debit machine now. Check out this article from CBC news 

You can activate a security feature with your credit / debit machine that allows you to create a password before someone can access the administrative controls on your device. In this case, the scammer used a pre-programmed ‘credit card' and inserted it into the point of sale (POS) device. The card is actually a fake “administrative card,” which gives them complete access to the terminal, and allows them to manually enter in an alternative, usually stolen, credit card number.

The scammer walks away without using any of their money for the purchase. And the clinic owner is stuck with the bill.

When the purchase is discovered as fraudulent, the vendor has to pay back to the credit card company whatever the amount that the scammer entered into your POS device.

You will also likely receive a “chargeback” fee from the credit card processor.

Do you know who manages the POS password in your clinic? Who is the back-up person?

Do you maintain the passwords in a secure, corporate, password manager service?

Have you added this to your Health Information Privacy and Security Manual? You should!

clinic, Fraud, healthcare, password, point of sale device

The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

Posted on November 29, 2018 by Jean Eaton in Blog

In order to provide services, healthcare practices must collect pertinent information from patients. This data gathering often includes many sources of information, across different types of technology, among multiple vendors. Good business practices and health records management is supported by three agreements your healthcare must have: information manager agreement (IMA), information sharing agreement (ISA), and successor custodian agreement.

For instance, when a patient attends a clinic, their details are nearly always entered into a computer software program to maintain demographic information, manage patient appointments, and to process payments. Often, health service providers (including physicians, pharmacists, chiropractors, dentists, psychiatrists and more) record their patients’ notes into an electronic medical record (EMR).

Patient information is shared between providers where required. For example, when the patient visits a diagnostic lab for testing, results are often transmitted electronically to the ordering physician’s fax machine or to the EMR.

Custodians including physicians, pharmacists, chiropractors, dentists, and psychiatrists, as defined by the Alberta’s Health Information Act (HIA), must follow HIA legislation when they collect, use, and disclose health information.

Often, custodians are also the owners of independent healthcare practices. However, an owner of a healthcare practice is not the custodian if they are not also an active member of a regulated health profession named as custodians in the HIA.  

1. Information Manager Agreement

The HIA allows custodians to contract with other health service providers and vendors for the purposes of providing information management or information technology services, so patients can receive health services, and make payments. This often requires the custodian to share patient information with a vendor (or give them access to) so the vendor can process, store, or provide information as needed.

The custodian selects one or more business to provide the services, equipment, or software to assist in the management of health information. For example: EMR provider, contracted transcriptionist, billing agent, remote backup service, etc. These businesses are known in the HIA as information managers.

Before sharing health information with someone else, the custodian must ensure that the partners and vendors have reasonable safeguards in place to protect sensitive health information. The custodians must ensure that there is a written agreement between the custodian and the information manager. These agreements are known as “Information Manager Agreements.” This requirement is stated in the HIA section 66(2).

The Information Manager Agreement (IMA) is one of three crucial agreements a healthcare practice must have in place.

If You Don’t Have an IMA

If you are a custodian who uses vendors as part of your business and you do not have an IMA with that vendor…

  • You are in breach of the HIA.
  • You may incur fines under the HIA.
  • You may face sanctions and disciplinary actions from your professional regulatory college.
  • Almost certainly, you will encounter conflicts, poor communication, between yourself and the vendor(s) and the other participating custodians in your practice.
  • You may lose control of the health information as reported in the Investigation Report H2013-IR-01from the Alberta Office of the Information and Privacy Commissioner (OIPC).

In a press release from the Alberta OIPC in 2013, Information and Privacy Commissioner Jill Clayton noted that:

“The HIA allows custodians to disclose health information to IT service providers, such as EMR vendors, under an appropriate Information Manager Agreement. When custodians do not sign these agreements, they may find themselves in the unfortunate position of losing control over the health information they need to provide health services.”

Investigation Report H2013-IR-01 (https://www.oipc.ab.ca/news-and-events/news-releases/2013/investigation-report-h2013-ir-01.aspx)

Who Must Create the Information Manager Agreement?

The custodian is responsible to ensure that there is an appropriate IMA created and signed.

The information manager can assist the custodian by preparing templates of the IMA including specific details of the services that they will provide and the safeguards that the vendor will implement to protect personal health information.

Key Points About IMAs

A few important notes about IMAs.

  • IMA must be signed by the custodian.
  • Agreements signed by individuals who are not custodians are not valid under the HIA.
  • Custodians are required under the HIA to have an IMA with the vendor before disclosing health information. If there is no agreement in place, the custodian is in breach of the HIA.
  • Custodians are responsible for the health information that they collect, use, and disclose. Therefore, the custodian is responsible for the IMA and to ensure that the health information will be handled confidently and securely.

Key Points IMA

The custodian can select the best vendor and information manager for the job. The vendor who understands the requirements of the HIA and who can demonstrate that they have implemented the appropriate reasonable safeguards and can assist the custodian to develop an appropriate IMA is, in my opinion, demonstrating a significant competitive advantage.

All healthcare providers in a community practice should spend time when creating their business to establish good business practices, including developing written contracts and agreements to improve the efficiency of the business and to make things happen in the way that they are planned.

Here is a common example

Dr. Alice and Dr. Mark created a welcoming family medical practice in a new sub-division of their city. They each worked hard to attract new patients, hire and train staff, and develop a profitable business.

In the last few years, Alice and Mark had differences of opinion on how to grow their business. In the end, Alice decided that this type of practice wasn’t for her. She decided to leave and join a larger practice in a neighbouring subdivision. Alice wanted to take her patient’s records with her to her new practice and continue to see her patients at the new location.

Mark, who had signed the IMA with the EMR vendor, did not agree to Alice’s request to transfer her patient records to her new group practice.

Alice and Mark argued and eventually involved a professional mediator to help them resolve their business conflict. Hurt feelings between the providers and staff, costly delays in their business and expenses could have been avoided if Alice and Mark had established clear expectations in the event of the termination of their business partnership when they started their group practice. An IMA between custodians in a group practice is a recommended best practice.

When You Have Multiple Custodians in Your Healthcare Practice

When the practice has multiple providers, the owner and custodian frequently assumes responsibility for maintaining the contracts and IMAs with the vendors. Each of the participating healthcare providers may delegate the responsibility of maintaining the vendor arrangements to the custodian owner. This can be achieved with an IMA between the owner / custodian and each participating custodian.

Custodian Owner IMA

Each healthcare provider custodian is considered the custodian of the health information that they collect. The custodians can jointly agree to all use the same EMR. This provides continuity of care for the patients and economy of scale for the participants of the practice.

When the owner/custodian signs the agreement with the EMR, they become the signatory custodian. The EMR vendor takes their instructions from the signatory custodian.

The owner / custodian is now an information manager for all the participating custodians.  but does not become a custodian of the health information provided to them in their roles as an information manager.

For example,

Dr. Bill opened his medical practice, ABC Clinic. Later, additional physicians were recruited to work at ABC Clinic. The physicians are each custodians as defined by the HIA.

Dr. Bill assumes the responsibility for the operations of the clinic including the computer network and the contract with the EMR vendor. Dr. Bill is the information manager for the patient records at the clinic.

Each physician signs an IMA with Dr. Bill and agree that he will continue to manage the patient records on their behalf. Dr. Bill is operating as an information manager.

In his role of the information manager, Dr. Bill must follow the instructions from each physician, the custodian, as it relates to the management of their patients’ records.

2. Information Sharing Agreement (ISA)

When you have more than one physician in your practice, you need an agreement about how you will decide to manage the personal health information in your practice.

An Information Sharing Agreement (ISA) focuses on the internal decision making about all things related to personal health information whereas, an IMA is an agreement with a single vendor about the services that the vendor provides.

ISA IMA

An ISA may include things related to the services that a vendor provides but is not limited to just vendor services.

It also includes decisions about the process to ensure appropriate role based access to personal health information in the EMR, computer network, and paper formats; the regular review of health information privacy and security policies and procedures, ensuring privacy and security awareness training, the regular review of administrative, technical, and physical safeguards in the practice, and so on.

In larger organizations or when several smaller organizations participate in an information sharing initiative, a Data Management Committee may provide oversight and facilitate this process.

An ISA is a requirement of the College of Physicians and Surgeons of Alberta.

Identifying a successor custodian is also a requirement of the College of Physicians and Surgeons (CPSA).

3. Successor Custodianship Agreement

As a business owner, you need to plan a successor to the business. This might be an interim or short-term decision to ensure continuity during an absence or future retirement planning or unexpected illness or death.

In healthcare, physicians and custodians have the added responsibility as the ‘gatekeeper’ for patient records. In the event of a sudden inability to meet these responsibilities, physicians need to identify a successor custodian to ensure appropriate and continued access by patients to their health information for their continuing care and treatment and to ensure that the continuing confidentiality, security, and access to patient records continue to be fulfilled.

Have you identified a successor custodian? Each of the physicians in your group practice should also identify their own successor custodian.

This is a CPSA requirement and should also be included in the Privacy Impact Assessment if you have this information available. See CPSA, Patient Record Retention, s.5:

A regulated member acting as a custodian must designate a successor custodian to ensure the retention and accessibility of patient records in the event the regulated member is unable to continue as custodian. (Reference: Health Information Act Section 35(1)(q)

If you are a chiropractor, the Alberta College and Association of Chiropractors (ACAC) further requires its members to name a chiropractor as the successor custodian to maintain the status of ‘chiropractic’ records. (See the ACAC’s Standards of Practice s5.3 Custodianship of Health Records.)

A chiropractor, as a custodian of health records, is responsible for the care and control of the health records in their practices as required by the Health Information Act of Alberta. A custodian of active chiropractic files must be under the custody or control of an active, registered member of the ACAC.

Note that under the Health Information Act, a chiropractor may disclose files to another custodian who is not a chiropractor, and only a chiropractor may have custody or control of chiropractic files. Chiropractic files disclosed to a non-chiropractor should no longer be considered chiropractic files.

A custodian must implement technical and physical safeguards to protect the confidentiality of the information and privacy of individuals as well as protections against reasonably anticipated threats to the security or integrity of the information. A custodian must also defend against unauthorized uses, disclosures or modifications of the information. Safeguards must be periodically assessed and documented in policies and procedures.

If you are working in an owner/custodian scenario discussed above, clearly identifying a successor custodian becomes imperative. An unplanned absence of the owner / custodian can seriously jeopardize the business and the continuing care and treatment of patients.

The custodian can, but is not required to, name another custodian in the same practice to be their successor. Whatever your decision, ensure that this is well documented and easily accessible to the other custodians and key decision makers in your organization in the event of an emergency.

The best time to create IMA, ISA, and Successor Custodianship Agreements is when you start your healthcare business.

The second best time in now.

What are you waiting for?

If you need assistance, contact Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor with Information Managers. I’m here to help you with your Practice Management Success.

Download the FREE Report - Top 3 Agreements Your Healthcare Practice MUST Have

If you are a member of Practice Management Success, login here to access the Top 3 Agreements.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS 

chiropractors, dentists, health care, Health Information Act, healthcare, HIA, IMA, information management agreement, information manager agreement, information sharing agreement, ISA, medical, physicians, Practice Management Success, successor custodian

How to Prepare Patient Records for a Court Order in Your Healthcare Practice

Posted on September 25, 2018 by Jean Eaton in Blog

You are working at the reception desk of a healthcare practice. Suddenly, there is a police officer or court officer giving you a court order to produce patient records!

Don’t Panic!

In this month’s Q&A with Jean, we discussed how to prepare patient records for a court order with confidence!

Now, just a reminder, I’m not a lawyer and I don’t play one on TV. These are my recommendations based on my experience as a director of health records in hospitals in Canada, as a court reporter, and as a mentor to clinic managers in independent healthcare practices and not legal advice.

Follow These Steps

In this article, I am not discussing a situation which relates to a life-threatening situation that requires an immediate response. I am also not discussing when order relates to the type or quality of healthcare provided to the patient or when the actions of the healthcare provider or clinic is being challenged or reviewed. These are topics for a different article.

Your reception staff should not accept the court order but, instead, immediately ask the officer to wait for a few minutes so that they can request their supervisor or privacy officer to meet with them.

When the court order is an administrative request for information, the supervisor or privacy officer will accept the court order from the officer. Before the officer leaves, make sure that you read the court order carefully and ensure:

  • Who is named in the court order often the clinic manager of the clinic. Your clinic should be specifically named or, perhaps, the name of your lead physician or healthcare provider.
  • Record the date and time that you received the order.
  • Clarify when the response is required.
  • The name and the contact person of the officer that delivered the court order (if possible) or, at minimum, the contact information of the court, for example, the court clerk’s office or the witness co-ordinator, or the sheriff’s office is included on the court order.
  • The province or jurisdiction of the court. Generally, it should be the same province where your clinic operates. If not, contact your lawyer for advice on how to respond.

Review Your Policies and Procedures

This is not a routine request from a patient to access their health records or a request to disclose their records to a third party like a lawyer or insurance company. In those routine requests, patients routinely require to provide a written, signed consent before you can disclose their records.

When you receive a court order or subpoena to produce patient records at a court or other legal proceeding, you are not required to get a signed consent from the patient.

Each healthcare practice should have detailed policies and procedures on how to prepare patient records for a court order. Review these now.

If you don’t have up-to-date policies and procedures, see the Practice Management Success Tip, How to Prepare Patient Records for a Court Order.

Validate the Court Order

Read the court order carefully. In particular,

  • Phone the contact number on the court order.
  • Confirm the date, time, and location that you are required to appear.

Locate the Patient Record

Find the patient information maintained in an electronic database, electronic medical record (EMR) and/or paper records. Remember to look for both active and inactive patient records as needed by the court order.

Read the patient record carefully, line by line, to ensure that the record is complete. For example, make sure that all lab reports, prescriptions, consultation notes, etc. are included in the record.

Secure the record to prevent snooping or modification to the record. Also ensure that the record is available for continuing care and treatment of the patient, if needed.

In an electronic record, prepare an audit log of all the transactions on that patients’ chart.

Ensure there is no duplicate or second chart for the patient that may have been created in error. Search by alternate names, spellings, date of birth, etc.

Ensure that each custodian included in the patients’ care and your healthcare practice’s privacy officer is informed of the court order to produce the record. The custodian should be provided an opportunity to review their clinic notes. Remind the custodian that they cannot further disclose the patient's record.

Prepare the Patient Record

Review the court order and identify exactly what information is requested. It might be for specific dates or a condition or treatment.

Keep complete and detailed notes about how you prepared your response to the court order. You will bring your notes with you to court to assist you in your testimony about how your clinic creates and maintains patient records and what you did to respond to the court order. After your court appearance, you will maintain your notes as part of the business records for the clinic.

Collect the information and record each of your steps and your results, including the records that you searched for and did not find any results.

If you maintain your patient records in an electronic medical record (EMR) or digital practice management software, print out a hard copy of all the information that responds to the information that is requested.

Sever (also known as redact or black-line) any information that is not appropriate to include in the disclosure. Cross-reference each redacted entry to the legal authority not to include the information in the disclosure.

If you are using an EMR, organize the paper print-out in a format that makes sense. This might be chronological date order, or group like records (clinic notes, lab results, etc.) together.

Create a ‘Table of Contents’ of the information in the patient record. This will help you in your testimony to quickly find requested information, help the court to locate information in the records that you have prepared.

At the same time, handwrite in ink at the bottom of each page the sequential page number in the package. Update the table of contents with the page numbers.

Stamp ‘COPY’ on each page.

When the package is complete, make a photocopy (or two) of the entire package. The ‘original’ paper copy will be maintained at the clinic. Bring the original and the copy to court and ask the court to accept your copy. Return the original package to the clinic and securely maintain this as part of the business records of the clinic until the court file is complete.

When You Attend At Court

As the clinic manager, your role at the court is to tell the court how patient information is collected and maintained in your healthcare practice. Your job is not to interpret the content of the clinic notes.

A few days prior to the court date indicated on the court order, phone the clerk’s office or witness support office to confirm the date, time, and location of the proceedings and if you are still required to attend.

On the day of the proceedings, report to the clerk of the court.

Bring with you the court order, your photo ID, the patient record, and your notes. Bring a good book to read in case you have a long wait.

You will be advised (again) if you are required that day. If you are not required, the clerk will make a notation on your court order to appear that you attended and that you have been dismissed. Keep this in your business records with the patient record.

If your testimony and the patient records are required, you will be called as a witness during the court proceeding.

You will be asked to swear or affirm an oath to speak honestly during your testimony.

Typical questions that you should be prepared to answer include:

  • Your name.
  • Your role at the clinic, how long you have been in that role, your routine tasks and responsibilities at the clinic.
  • Describe how patient records are maintained. Be prepared to explain your EMR or computer patient management system (if you have one).
  • Bring your notes about the steps that took to prepare for the court order. You may ask permission of the court to refer to your notes that you created when preparing to respond to the court order during your testimony, if necessary.
  • Explain that the patient records are kept electronically and that you have prepared a paper print-out of those notes.
  • Be prepared to explain how you know that the records are complete, not missing any details, etc.
  • If the court asks you to enter the records into evidence, explain that you have an ‘original’ and a ‘copy’ and ask the court to accept the ‘copy’ into evidence.

When You Return to the Clinic

Complete your notes by documenting your day at the court. Write a short summary of your day including:

  • Did you give a copy of the patient records to the court? To whom?
  • Remember to add this notation to the patients’ record that you disclosed this information according to the court order.
  • Any follow-up required for this disclosure?
  • Review your procedures. Anything that you would edit or provide additional instructions that will help you to be better prepared for next time you receive a court order?
  • Submit a copy of your out of pocket expenses (parking receipts, meals, etc.) for re-imbursement by your employer, if applicable.

What You Should Do Now

  1. Review your policies and procedures now to ensure that it includes how to respond to a court order.
  2. Train your reception staff on what to do if they receive a court order.
  3. Train your privacy officer and clinic manager on how to prepare a patient record for a court order.

Depending on where you work, you may receive a court order regularly or it might be a once-in-a-career experience. When you have policies and procedures and a little bit of training to assist you, you can respond to a court order calmly and confidently.

If you are a member of Practice Management Success, login and access the ’Procedure:  Preparing Patient Records for a Court Order’ template and the replay of the tutorial video.

Download the FREE eBook - Preparing Patient Records for a Court Order Now!

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

court order patient records, health care, health records, healthcare, medical, Practice Management Success, subpoena to produce patient records, template procedure
‹1234›»

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

"The 15 Day Privacy Challenge has made me aware of the policies that my facility needs to update/create!"

- Rachel Worthing, CHIM, Ontario Shores Centre for Mental Health Sciences

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2019 Information Managers Ltd.