Can You be Charged Under the Health Information Act ?

Posted on December 2, 2015 by Jean Eaton in Blog

If you access personal health information without authorization, this is a privacy breach.

You can be charged with a fine under the HIA and can face penalties, fines, and sanctions from your professional association.

How frequently are people being charged under the Health Information Act in Alberta for improper access to health information?

“This year alone, there has been one conviction and two charges for improper access of health information. The office is also investigating more than a dozen cases, and they all have the potential to become offence investigations.” Medical record privacy breaches an ‘epidemic' in Alberta,' says commissioner CBC News Posted Oct 15, 2015.

An investigation by the Alberta Office of the Information and Privacy Commissioner (OIPC) has resulted in 26 charges being laid against an individual under the Health Information Act (HIA) as reported in a OIPC News Release December 1, 2015. An incident at the Alberta Children’s Hospital in Calgary was reported by Alberta Health Services to the OIPC. The OIPC conducted an investigation and upon completion of the investigation charges were laid against the individual who allegedly gained access to health information in contravention of HIA.

This is the sixth time charges have been laid under provisions of HIA. The maximum penalty for each offence is $50,000.

Who is a custodian?

The custodian (as defined by HIA a ‘custodian' includes physicians, pharmacists, dentists, chiropractors, optometrists, Alberta Health Services, Minister of Alberta Health and more). The custodian is responsible to take reasonable steps prevent privacy and security breaches including providing privacy awareness training.

Do you have a privacy awareness program?

Do you have a privacy awareness program in your practice that everyone must attend? This includes healthcare providers, students, residents, office staff and, yes, even the non-patient care employees like cooks, cleaners, and maintenance staff.

Have you seen this?

Do You Need Privacy Awareness Training for Your Healthcare Practice?

fines, Health Information Act, HIA, privacy awareness training, privacy breach

Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments – A Complete Step-by-Step Course

Posted on December 1, 2015 by Jean Eaton in Services, Training

Do you need a Privacy Impact Assessment?

Or do you need to amend an existing PIA?

Privacy Impact Assessments are just one of the requirements you need in order to fulfill your obligations in Alberta’s Health Information Act (HIA) and other legislation and are an important aspect of developing privacy best practices in your office.

And a little help along the way is always a good thing.

Practical Privacy Coach, Jean L. Eaton of Information Managers, is constructively obsessive about privacy, confidentiality, and security when it comes to the handling of personal and health information, particularly in primary health care settings. Jean has helped hundreds of healthcare providers, vendors, and health and social service delivery organizations and associations complete their Privacy Impact Assessment which have been successfully accepted by organizations' management and regulators. Jean has customized and delivered privacy training programs for privacy officers, records management professionals, implementation teams, and healthcare providers across Canada and the US.

Now you can have access to five modules to help you learn everything you need in order to complete your own PIA.

New PIA Amendment Track

Each module includes a video training, as well as templates, tools, resources and case studies to build on in each lesson. You can use this scenario to guide you through the PIA process in healthcare. If you work in healthcare or privacy or records management and need to do a PIA, this e-course is for you.

You need a Privacy Impact Assessment when

You are opening a new clinic or establishing a new health services program.
You are changing administrative procedures or technology equipment, services, or vendors
You are changing how you collect and use personal information,
You are implementing or changing an Electronic Medical Records (EMR)
You are sharing health information with another healthcare provider, organization, Primary Care Network or other health program.
You have a Privacy Impact Assessment that was written more than 2 years ago (It is time to review and update this!)

If you are a healthcare provider, practice manager, and you need your first PIA this e-course is for you

Are you in a group or solo practice with direct patient care, for example:

Physician
Pharmacist
Registered nurse
Optometrist or optician
Chiropractor
Physiotherapist
Midwife
Podiatrist
Dentist, dental hygienist or denturist
Audiologist
Mental health practicitioner
Laboratory, x-ray, and imaging technician
Paramedic

A PIA should be as common place to a healthcare practice as a business plan is to a business. BUT most healthcare practices don’t know this and often don’t know that a PIA is usually part of their professional college requirements and often even a legislated requirement! Prevent malicious errors, omissions or attacks that could result in fines and even jail time for the business, healthcare provider, employee, or vendor by completing a PIA.

If your Privacy Impact Assessment was written more than 2 years ago this e-course is for you

The Clinic Manager and Physician Lead and Privacy Officer must ensure its content is updated to reflect the current state of administrative, physical and technical controls.

BONUS! Checklist to update your PIA to meet recent changes to Alberta's Netcare Portal. If your practice has completed a PIA and now you need to update the PIA, you receive a checklist of items that you need to consider to refresh your PIA.

If you a vendor that supports healthcare practices this e-course is for you

BONUS! One hour tele-consult with Jean, “Create a branded Privacy Impact Assessment Readiness Package”. Jean will work individually with you to review your documentation and coach you on how to prepare the package to give to healthcare practices.

BONUS! Vendor PIA live webinar includes Vendor non-disclosure agreement, Information Manager Agreement, GAP Analysis, Computer Network Narrative templates.

Jean has helped hundreds of physicians, chiropractors, pharmacists, and other healthcare providers complete their Privacy Impact Assessment. She has visited hundreds of practices across Canada. But time and geography limit my ability to visit each healthcare practice that needs a PIA. That's why I developed this on-line interactive course to help you learn everything you need in order to review, amend, or create your own PIA. Each module includes a video training as well as templates, tools, resources and two common case studies to build on each week. You can use these scenarios to guide you through the PIA process.

You know your practice better than anybody else. If you had the right tools, at the time most convenient for you and a mentor to help you, you can develop good office practices, meet legislated and college requirements, and successfully complete your Privacy Impact Assessment requirements.

Using a Webinar on-line interactive program, you will get great content and instructions from Jean Eaton and twice-monthly Q&A live training webinars.

The modules include:

Module 1:

PIA to Protect Your Practice, Your Assets, and Your Patients

Module 2:

Information Flows–-the Foundation of Your PIA

Module 3:

Risk Analysis and Mitigation Strategies

Module 4:

PIA Format - Pulling it All Together

Module 5:

Complete Your PIA Submission

BONUS Module 6:

Create a Branded Privacy Impact Assessment Readiness Package

The replays, tools, and resources will be available to you right away.

If you are new to this field, I suggest that you first register for Privacy Awareness in Healthcare: Essentials to master the key definitions and concepts.

Corridor_Privacy_Awareness_In_Healthcare_banner

Privacy Awareness in Healthcare: Essentials

Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments –

A Complete Step-by-Step Course

5 Core Modules, Templates, Training, and Tools to Get Your PIA Done!

Twice Monthly Live Q&A Training Webinars

$450.00 (plus GST)

You will get

Learning Resource Guide for EACH module – how-to explanations, templates, and resource lists
Checklists to help you plan your PIA
MindMap of the entire PIA process
PIA project plan timeline templates
Checklists of personal and health information privacy and security policies that you need in your practice
Many examples of projects in medical, dental, chiropractic and more practices including new PIA project and PIA amendments.
Explanation and real-life examples of key terms that you need to know and include in your PIA
Strategies and templates of risk management assessments that you can customize
This E-course might qualify for CPE credits, too!

BONUS! Twice monthly live Q&A webinar training with Jean to help you get un-stuck with your PIA.

BONUS! Checklist to update your PIA to meet recent changes to Alberta's Netcare Portal.

BONUS! Private discussion group with other registered participants of this course to network and support each other on your PIA journey and continue to help you after this course closes.

BONUS! Regular updates of privacy resources and templates that you can use.

If you hired a consultant to do the work of the PIA process for you it may cost you as much as $3,000!

And then…when the consultant is done, they take their knowledge out the door with them.

Invest only $450 in this course and you'll have what you need to do your first PIA project today…and every project in the future!

What people are saying about our e-courses:

“When Jean told us about the Protest Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments E-course and explained how the course will help us better understand the Health Information Act, our responsibilities as healthcare providers and our relationship with our vendors and partners, I signed up right away! Thanks again – it is no doubt that we have hitched our wagon to a shining star.”
~~Bill Stowe, Business Manager Synergy Respiratory & Cardiac Care

“This was my first ever time I had to work on a PIA and I was a little nervous about doing it efficiently – but you really made it as simple and straight forward as possible. Thank you for being available for my questions when I had them. I would easily recommend Privacy Impact Assessments to Protect Your Practice course for anyone to do their own PIA's! Thank you so much!”
~~Karen Sarabura, Clinic Manager and Privacy Officer, CGA Medical Imaging, Alberta

“I attended the Privacy Impact Assessment Walk-through workshop (for ARMA members). Jean shared resources and on-going networking opportunities. The biggest benefit to me is to know that there is help out there in moving forward with our Privacy Impact Assessment responsibilities.”
~~Ellen Sauvé, Parkland County

Comments from other E-course participants:

“Learning about how all the information gathering systems interact was the most valuable part of this workshop”

“Excellent presenter – variety of learning opportunities.”

“Jean is an excellent speaker and I enjoyed the audio seminar you gave today and I learned a lot from your seminar.”
~~Annette T (AHIMA webinar, Three Mistakes in Managing a Privacy Breach”)

“Jean Eaton is one of those ‘critical suppliers' you keep in your email contacts list, no matter what company you manage. She really knows her stuff and delivers prompt, accurate information on time. Her courses are interesting, informative, and I like the opportunity to meet with classmates who have similar challenges.”
~~Kevin Morris, Shape MD, Team Leader/Office Manager

Not sure if the E-course is for you?

Jean will answer your questions in the free webinar,

Prevent Big Fines (or Worse!) for Your Healthcare Practice

How to Plan a Privacy Impact Assessment for Your Healthcare Practice

with Jean L. Eaton
Replay Recorded Live

This webinar is for Privacy Officers, Clinic Managers, Practice Managers and anyone else responsible for doing a PIA.

You will learn what is getting in your way of getting your PIA done!

In this free webinar, you will learn:

5 Manageable Steps of every PIA
3 Biggest Myths about PIA’s that is preventing you from completing your PIA
Questions Privacy Officers, Clinic Managers, Practice Managers and Healthcare providers should ask about PIA’s but don’t
Biggest fears about doing a PIA and how you can kick it to the curb so that you can finally get it done

Join us for the webinar so that you can plan your PIA for your healthcare practice!

Sign me up for this FREE webinar

Please provide your email address below and you will be re-directed to the webinar replay right away.

Check your email in-box to confirm your registration!

Along with your webinar registration, you will also benefit from the occasional Privacy Nugget tips by email of similar privacy resources and articles that you can use right away!

Alberta, amendment, breach, employee training, ePIA, ePrivacy, Health Information Act, healthcare, HIA, PIA, Practical Privacy Coach, Privacy Impact Assessment, privacy officer training, templates

Privacy Challenge #3 Privacy Collection Notice

Posted on October 17, 2015 by Meghan Davenport in Archive

Privacy Collection Notice

Every time we gather information from a client, we're entering into a trust relationship with them. We trust them to provide accurate information, and they trust us to keep it private and safe.

So it's only fair that we are transparent with our clients about our policies and procedures regarding the collection and safe-keeping of their important confidential information. We want them to understand:

Why we are collecting their information
How we are using their information
How we are protecting their information
How our organization meets the rules and regulations of our industry

#15DayPrivacyChallenge, 15 Day Privacy Challenge, Collection Notice, Health Information Act, HIA, Practical Privacy Coach, privacy, template

2015 Saskatchewan Connections Conference: Access, Privacy, Security, Records Management, and Health IM

Posted on March 23, 2015 by Jean Daffin in Blog

May 5 & 6, 2015 in Regina

Hosted by the Saskatchewan Ministry of Justice, Access and Privacy Branch, the 2015 Saskatchewan Connections Conference (#SKconnect15) is a regionally based conference intended to assist public bodies in developing connections between these disciplines and address the associated challenges. Access, Privacy, Security and Information / Records Management challenges are intertwined with almost everything public bodies do. Through a series of plenary, breakout and workshop sessions, delegates will gain a clearer understanding of access to information, privacy, information security, and records management issues that arise in organizations subject to FOIP, LAFOIP, and HIPA. More importantly it focuses on the connections between these discipline.

Join the LinkedIn Group here.

Click here for more information.

#SKconnect15, 2015 Saskatchewan Connections Conference, FOIP, HIA, Practice Management Mentor, privacy, Records Management, security, training

Netcare access to Registered Nurses as Custodians

Posted on September 22, 2014 by Jean Eaton in Blog

Are you a Registered Nurse and work in occupational health, at a First Nations care centre, at a remote nursing station, for a federal jurisdiction or for an authorized homecare service? Are you self employed?

If any of these describe your practice setting, you may be eligible to apply for access to Netcare as a custodian.

One of first things you need to do is submit a Privacy Impact Assessment (PIA) to the Office of the Information and Privacy Commissioner (OIPC).

Privacy Impact Assessment for Netcare (often bundled with EMR implementation Privacy Impact Assessment) must refer to Alberta Netcare Portal (ANP) Privacy Impact Assessment H3879. OIPC will not accept any PIA's referencing the ‘old’ Netcare PIA H1124.

If custodians (physicians, pharmacists, registered nurses, etc) have a PIA accepted prior to August 2012 and they want new / continued access to ANP they must amend their PIA and submit to OIPC.

Netcare (ANP) now requires all Provincial Organization Readiness Assessement (pORA) including completing “Section Two: Mandatory Security Requirements for S2S Sites”.

For more information, see

CARNA website and resources.

Information Mangers blog post, Do you have Netcare

Alberta, CARNA, HIA, Netcare, Registered Nurses

Do you have Netcare?

Posted on September 22, 2014 by Jean Eaton in Blog

Netcare's PIA Process

When we provide our personal and sensitive information to a healthcare provider, we want assurances that the confidential information will be respected. We expect that our information will only be shared with people who need to know the information to provide health services to us. Alberta's Health Information Act requires healthcare providers (custodians) to put appropriate safeguards in place to protect the privacy, confidentiality, and security of health information.

Alberta Netcare, also known as the Alberta Electronic Health Record (EHR), is a network of information systems that allows authorized users to see prescriptions, lab results, diagnostic images (e.g. x-rays and ultrasounds) and hospital reports (e.g. hospital discharge summaries). Netcare is used throughout Alberta in hospitals run by Alberta Health Services and Covenant Health and in medical clinics and pharmacies. This is managed by Alberta Health, Government of Alberta. Alberta Health Services (regional health authority), community pharmacies, labs and diagnostic imaging centres and other agencies upload patient information to Netcare.

Netcare Portal PIA

Each custodian is required by Health Information Act to submit a Privacy Impact Assessment to the OIPC. Alberta Health submitted a Privacy Impact Assessment (H1124) in 2006 for Alberta Netcare Portal (ANP) and an updated Privacy Impact Assessment (H3879) in March 2013.

Healthcare providers (custodians) who request access to Alberta Netcare Portal (ANP) must submit a Privacy Impact Assessment to the OIPC that documents the healthcare providers’ computer systems integration with Alberta Netcare.

If you have a previous Privacy Impact Assessment that was accepted by the OIPC regarding your access to Alberta Netcare Portal and it is less than two years old, you can submit a Privacy Impact Assessment Addendum. If you have previously completed a Provincial Organization Readiness Assessement (pORA) you will need to review and update the pORA including completing “Section Two: Mandatory Security Requirements for S2S Sites” and return it to Alberta Health for review and approval.

If you have not yet submitted a Privacy Impact Assessment

You need to submit a PIA to the OIPC for acceptance. This must reference the ANP Privacy Impact Assessment (H3879). You must also complete and submit a pORA including “Section Two: Mandatory Security Requirements for S2S Sites”.

Questions to ask:

1) When was the last time we reviewed our PIA? (This should be reviewed annually.)

2) Do we have / do we want access to Alberta Netcare Portal (ANP)? If ‘yes’, then:

3) Was your Privacy Impact Assessment accepted more than two years ago (before August 2012)? If ‘yes’, then

Review and amend your PIA and submit to OIPC including reference to ANP Privacy Impact Assessment H3879 and
Review your pORA including “Section Two: Mandatory Security Requirements for S2S Sites”. You will likely need additional support from your computer network vendor and your EMR vendor.

4) If you are a Registered Nurse and work in occupational health, at a First Nations care centre, at a remote nursing station, for a federal jurisdiction or for an authorized homecare service or self employed, you may be eligible to apply for access to Netcare as a custodian. The above steps also applies to you.

Please share this information with colleagues and your computer network support, EMR vendor, and privacy officer in your organization.

PS

Not all healthcare providers are custodians as defined by Health Information Act. For more information, see our blog, HIA Amendments and Document Management Tip

For more information see:

Alberta OIPC. Bulletin Health Information Act Bulletin August 2014 Update.

Alberta Netcare, Your System Integration with Alberta Netcare.

CARNA Netcare Access to Registered Nurses as Custodians.

Need to do a Privacy Impact Assessment or a Privacy Impact Assessment amendment? We have a course for that!

Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments – A Complete Step-by-Step Course

Alberta, E-course PIA; privacy impact assessment, HIA, Netcare, PIA, pORA, Practical Privacy Coach, privacy officer

Sharing Your EMR in a Group Practice PMN Replay

Posted on March 2, 2014 by Meghan Davenport in PMN Replay, Practice Management Nugget Interview

Sharing Your EMR in a Group Practice – an interview with Brandon Blanck & Rita Hielema of Microquest.

Recorded live on Thursday, April 24th

Our guests: Brandon Blanck is the Vice President and Fatima Haymour, Client Services Representative of Microquest. Microquest is today's leading practice management software.

Brandon and Fatima shared keys to sharing your EMR Database in a shared practice:

The importance of having a clear understanding of how patient records in a shared EMR database are controlled.
- Know that the Information Manager Agreement between the software vendor and the named individual on the contract are the only individuals that the software vendor can receive instructions on how to manage the records in the database.
- As a group healthcare practice, have a clear understanding and supporting documents that sets out how patient records will be collected, used, and disclosed during the group practice and whenever the membership of the group practice changes.
- Take a pro-active privacy role and inform patients how their information will be protected during the routine practice operations and when healthcare providers are added – or leave – the practice.
- Decide how you are going to decide about the on-going operational changes to how the software will be used in your practice.
Identify in the EMR software who is the primary (or default) healthcare provider for each patient. Talk with your software vendor how best to record this.
It's never too late to start! If you missed creating an Information Management Agreement or Data Sharing Agreement in your group practice, do it now! See the resources for samples that you can use.

You will also hear some stories from Brandon and Fatima about scenarios they have encountered in group practices – the good, the bad, and the ugly of a shared database when a physician leaves.

Resources:

Subscribe to Privacy Nuggets

Learning Resource Guide Sharing Your EMR

Document Management Tip Data Sharing Agreement Healthcare Providers

DT-In-Search-of-Plain-Language-Privacy Statements-in-Practice-Management

Executive SummaryIMA_PatientRecords_SAMPLE

Infographic – IMA Patient Records

Video – What is an IMA?

Replay Audio Only

Replay Audio and Slides

data sharing agreement, healthcare, HIA, IMA, information manager agreement, Microquest, Practice Management Mentor, Practice Management Nugget

Pharmacist Used Health Information for Personal Reasons

Posted on January 4, 2014 by Meghan Davenport in Blog

A Calgary pharmacist has been cited for using the health information of a patient in an attempt to establish a personal relationship with her.

The woman complained to the Information and Privacy Commissioner, alleging that the relief pharmacist employed at a pharmacy in Calgary, had contacted her twice by phone and attempted to “friend” her on Facebook.

The Health Information Act (HIA) prohibits employees from using health information for purposes not required to do their job. The investigation by the Privacy Commissioner found that the pharmacist misused health information, and that the pharmacy manager had failed to provide privacy and security training to the pharmacist.

The pharmacy had access to privacy policies and training but the pharmacist in question was not made aware of these policies by the pharmacist manager. The investigation concluded by reinforcing the need for following through on administrative and technical safeguards and training for all staff.

Do you provide privacy training for all of your staff – including professional healthcare service providers? How do you document that each staff has received the training? How often do you re-fresh or update the training? A privacy management program is an important part of your responsibility as a healthcare provider, practice management and business owner. See our training programs for additional resources you can use right away.

For more information, check out the full OIPC Investigation Report H2013-IR-02

You can also read the Calgary Herald article (Dec 17, 2013) here

Alberta, breach, complaint, Health Information Act, HIA, OIPC, privacy, privacy breach

Alberta’s Health Information Act (HIA) Amendment

Posted on October 3, 2013 by Jean Eaton in Blog

The Health Information Act (HIA) was amended was approved by Orders in Council on September 3, 2013.

The amendment includes:

Naming a non‑regional health authority Family Care Clinic approved by the Minister as a custodian. (HIA s2(1)(g)).

Disclosure of registration information – For the purposes of section 36(c) of the Act, a custodian may disclose individually identifying registration information about an individual without the consent of the individual

(a) to an ambulance attendant or ambulance operator under the Emergency Health Services Act,

(b) to the Minister of Health or Minister of Human Services for the purpose of administering the Aids to Daily Living Program, or

(c) to the Minister responsible for the Seniors Benefit Act and the Seniors’ Property Tax Deferral Act for the purpose of administering those Acts.

Remember to update your policies and procedures! See our Document Management Tip for a sample policy update that you can use to insert into your Health Information Management and Security Manual.

Alberta, Alberta HIA Amendment, amendment, custodian, Family Care Clinic, HIA, policies, templates

Charges laid under the Health Information Act

Posted on October 31, 2012 by Jean Eaton in Blog

A self-reported breach by an individual to the Office of the Information and Privacy Commissioner resulted in an offence investigation being opened into suspicious access to health information. The completed investigation, after being referred to Crown prosecutors at Alberta Justice, led to thirty-one charges under the Health Information Act being laid for improperly accessing other individuals’ health information. Another charge was laid for inappropriate use of health information, another for inappropriate disclosure of health information, and one more charge for knowingly falsifying a record. In addition to these thirty-four charges under the Health Information Act, six charges were also laid under the Criminal Code.

The Calgary Herald reports that Brian Hamilton, OIPC Director for the Health Information Act, would only confirm the accused is not a doctor or other medical professional. The matter will be heard in Airdrie Provincial Court on Thursday, October 18, 2012.

The Edmonton Journal also reported that, in addition to the charges under the Health Information Act, the accused may face up to six Criminal Code charges.

Each organization has a responsibility to ensure that their employees (affiliates) receive education and training in their roles and responsibilities under the HIA. Information Managers can help you by providing training on-site and now by webinar. Click here for more information.

For more information, see:
the OIPC Website (http://www.oipc.ab.ca/Content_Files/Files/News/NR_Oct_2012.pdf)

http://www.calgaryherald.com/health/Charges+laid+improper+access+health+files/7400003/story.html

http://www.edmontonjournal.com/health/Alberta+Justice+lays+charges+improperly+accessing+health+information/7399425/story.html

access, Alberta, complaint, disclosure log, Health Information Act, HIA, improperly accessing health information, OIPC, privacy, privacy breach, training

1 2 3