The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

Posted on November 29, 2018 by Jean Eaton in Blog

In order to provide services, healthcare practices must collect pertinent information from patients. This data gathering often includes many sources of information, across different types of technology, among multiple vendors. Good business practices and health records management is supported by three agreements your healthcare must have: information manager agreement (IMA), information sharing agreement (ISA), and successor custodian agreement.

For instance, when a patient attends a clinic, their details are nearly always entered into a computer software program to maintain demographic information, manage patient appointments, and to process payments. Often, health service providers (including physicians, pharmacists, chiropractors, dentists, psychiatrists and more) record their patients’ notes into an electronic medical record (EMR).

Patient information is shared between providers where required. For example, when the patient visits a diagnostic lab for testing, results are often transmitted electronically to the ordering physician’s fax machine or to the EMR.

Custodians including physicians, pharmacists, chiropractors, dentists, and psychiatrists, as defined by the Alberta’s Health Information Act (HIA), must follow HIA legislation when they collect, use, and disclose health information.

Often, custodians are also the owners of independent healthcare practices. However, an owner of a healthcare practice is not the custodian if they are not also an active member of a regulated health profession named as custodians in the HIA.

1. Information Manager Agreement

The HIA allows custodians to contract with other health service providers and vendors for the purposes of providing information management or information technology services, so patients can receive health services, and make payments. This often requires the custodian to share patient information with a vendor (or give them access to) so the vendor can process, store, or provide information as needed.

The custodian selects one or more business to provide the services, equipment, or software to assist in the management of health information. For example: EMR provider, contracted transcriptionist, billing agent, remote backup service, etc. These businesses are known in the HIA as information managers.

Before sharing health information with someone else, the custodian must ensure that the partners and vendors have reasonable safeguards in place to protect sensitive health information. The custodians must ensure that there is a written agreement between the custodian and the information manager. These agreements are known as “Information Manager Agreements.” This requirement is stated in the HIA section 66(2).

The Information Manager Agreement (IMA) is one of three crucial agreements a healthcare practice must have in place.

If You Don’t Have an IMA

If you are a custodian who uses vendors as part of your business and you do not have an IMA with that vendor…

You are in breach of the HIA.
You may incur fines under the HIA.
You may face sanctions and disciplinary actions from your professional regulatory college.
Almost certainly, you will encounter conflicts, poor communication, between yourself and the vendor(s) and the other participating custodians in your practice.
You may lose control of the health information as reported in the Investigation Report H2013-IR-01from the Alberta Office of the Information and Privacy Commissioner (OIPC).

In a press release from the Alberta OIPC in 2013, Information and Privacy Commissioner Jill Clayton noted that:

“The HIA allows custodians to disclose health information to IT service providers, such as EMR vendors, under an appropriate Information Manager Agreement. When custodians do not sign these agreements, they may find themselves in the unfortunate position of losing control over the health information they need to provide health services.”

Investigation Report H2013-IR-01 (https://www.oipc.ab.ca/news-and-events/news-releases/2013/investigation-report-h2013-ir-01.aspx)

Who Must Create the Information Manager Agreement?

The custodian is responsible to ensure that there is an appropriate IMA created and signed.

The information manager can assist the custodian by preparing templates of the IMA including specific details of the services that they will provide and the safeguards that the vendor will implement to protect personal health information.

Key Points About IMAs

A few important notes about IMAs.

IMA must be signed by the custodian.
Agreements signed by individuals who are not custodians are not valid under the HIA.
Custodians are required under the HIA to have an IMA with the vendor before disclosing health information. If there is no agreement in place, the custodian is in breach of the HIA.
Custodians are responsible for the health information that they collect, use, and disclose. Therefore, the custodian is responsible for the IMA and to ensure that the health information will be handled confidently and securely.

Key Points IMA

The custodian can select the best vendor and information manager for the job. The vendor who understands the requirements of the HIA and who can demonstrate that they have implemented the appropriate reasonable safeguards and can assist the custodian to develop an appropriate IMA is, in my opinion, demonstrating a significant competitive advantage.

All healthcare providers in a community practice should spend time when creating their business to establish good business practices, including developing written contracts and agreements to improve the efficiency of the business and to make things happen in the way that they are planned.

Here is a common example

Dr. Alice and Dr. Mark created a welcoming family medical practice in a new sub-division of their city. They each worked hard to attract new patients, hire and train staff, and develop a profitable business.

In the last few years, Alice and Mark had differences of opinion on how to grow their business. In the end, Alice decided that this type of practice wasn’t for her. She decided to leave and join a larger practice in a neighbouring subdivision. Alice wanted to take her patient’s records with her to her new practice and continue to see her patients at the new location.

Mark, who had signed the IMA with the EMR vendor, did not agree to Alice’s request to transfer her patient records to her new group practice.

Alice and Mark argued and eventually involved a professional mediator to help them resolve their business conflict. Hurt feelings between the providers and staff, costly delays in their business and expenses could have been avoided if Alice and Mark had established clear expectations in the event of the termination of their business partnership when they started their group practice. An IMA between custodians in a group practice is a recommended best practice.

When You Have Multiple Custodians in Your Healthcare Practice

When the practice has multiple providers, the owner and custodian frequently assumes responsibility for maintaining the contracts and IMAs with the vendors. Each of the participating healthcare providers may delegate the responsibility of maintaining the vendor arrangements to the custodian owner. This can be achieved with an IMA between the owner / custodian and each participating custodian.

Custodian Owner IMA

Each healthcare provider custodian is considered the custodian of the health information that they collect. The custodians can jointly agree to all use the same EMR. This provides continuity of care for the patients and economy of scale for the participants of the practice.

When the owner/custodian signs the agreement with the EMR, they become the signatory custodian. The EMR vendor takes their instructions from the signatory custodian.

The owner / custodian is now an information manager for all the participating custodians. but does not become a custodian of the health information provided to them in their roles as an information manager.

For example,

Dr. Bill opened his medical practice, ABC Clinic. Later, additional physicians were recruited to work at ABC Clinic. The physicians are each custodians as defined by the HIA.

Dr. Bill assumes the responsibility for the operations of the clinic including the computer network and the contract with the EMR vendor. Dr. Bill is the information manager for the patient records at the clinic.

Each physician signs an IMA with Dr. Bill and agree that he will continue to manage the patient records on their behalf. Dr. Bill is operating as an information manager.

In his role of the information manager, Dr. Bill must follow the instructions from each physician, the custodian, as it relates to the management of their patients’ records.

2. Information Sharing Agreement (ISA)

When you have more than one physician in your practice, you need an agreement about how you will decide to manage the personal health information in your practice.

An Information Sharing Agreement (ISA) focuses on the internal decision making about all things related to personal health information whereas, an IMA is an agreement with a single vendor about the services that the vendor provides.

ISA IMA

An ISA may include things related to the services that a vendor provides but is not limited to just vendor services.

It also includes decisions about the process to ensure appropriate role based access to personal health information in the EMR, computer network, and paper formats; the regular review of health information privacy and security policies and procedures, ensuring privacy and security awareness training, the regular review of administrative, technical, and physical safeguards in the practice, and so on.

In larger organizations or when several smaller organizations participate in an information sharing initiative, a Data Management Committee may provide oversight and facilitate this process.

An ISA is a requirement of the College of Physicians and Surgeons of Alberta.

Identifying a successor custodian is also a requirement of the College of Physicians and Surgeons (CPSA).

3. Successor Custodianship Agreement

As a business owner, you need to plan a successor to the business. This might be an interim or short-term decision to ensure continuity during an absence or future retirement planning or unexpected illness or death.

In healthcare, physicians and custodians have the added responsibility as the ‘gatekeeper’ for patient records. In the event of a sudden inability to meet these responsibilities, physicians need to identify a successor custodian to ensure appropriate and continued access by patients to their health information for their continuing care and treatment and to ensure that the continuing confidentiality, security, and access to patient records continue to be fulfilled.

Have you identified a successor custodian? Each of the physicians in your group practice should also identify their own successor custodian.

This is a CPSA requirement and should also be included in the Privacy Impact Assessment if you have this information available. See CPSA, Patient Record Retention, s.5:

A regulated member acting as a custodian must designate a successor custodian to ensure the retention and accessibility of patient records in the event the regulated member is unable to continue as custodian. (Reference: Health Information Act Section 35(1)(q)

If you are a chiropractor, the Alberta College and Association of Chiropractors (ACAC) further requires its members to name a chiropractor as the successor custodian to maintain the status of ‘chiropractic’ records. (See the ACAC’s Standards of Practice s5.3 Custodianship of Health Records.)

A chiropractor, as a custodian of health records, is responsible for the care and control of the health records in their practices as required by the Health Information Act of Alberta. A custodian of active chiropractic files must be under the custody or control of an active, registered member of the ACAC.

Note that under the Health Information Act, a chiropractor may disclose files to another custodian who is not a chiropractor, and only a chiropractor may have custody or control of chiropractic files. Chiropractic files disclosed to a non-chiropractor should no longer be considered chiropractic files.

A custodian must implement technical and physical safeguards to protect the confidentiality of the information and privacy of individuals as well as protections against reasonably anticipated threats to the security or integrity of the information. A custodian must also defend against unauthorized uses, disclosures or modifications of the information. Safeguards must be periodically assessed and documented in policies and procedures.

If you are working in an owner/custodian scenario discussed above, clearly identifying a successor custodian becomes imperative. An unplanned absence of the owner / custodian can seriously jeopardize the business and the continuing care and treatment of patients.

The custodian can, but is not required to, name another custodian in the same practice to be their successor. Whatever your decision, ensure that this is well documented and easily accessible to the other custodians and key decision makers in your organization in the event of an emergency.

The best time to create IMA, ISA, and Successor Custodianship Agreements is when you start your healthcare business.

The second best time in now.

What are you waiting for?

If you need assistance, contact Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor with Information Managers. I’m here to help you with your Practice Management Success.

Tell me more about PIA's

Want more content like this?

Get Your Practice Management Success membership

chiropractors, dentists, health care, Health Information Act, healthcare, HIA, IMA, information management agreement, information manager agreement, information sharing agreement, ISA, medical, physicians, Practice Management Success, successor custodian

What is an Information Manager Agreement (IMA)?

Posted on October 25, 2017 by Jean Eaton in Blog

Having a clear agreement of how patient records will be maintained to ensure privacy, security, and confidentiality in a paper based patient record or in a shared EMR database is the objective of an Information Manager Agreement. This may also be called a Data Sharing Agreement, Information Sharing Agreement, or Business Associate Agreement.

Prenuptial Agreement

In a group healthcare practice, have a clear understanding in writing that sets out how patient records will be collected, used, and disclosed during the group practice is critical to the security of the patient information, health service provider information, and good will between members of the group practice. Think of this as the ‘prenuptial' agreement in your business relationship.

Who is an Information Manager?

In Alberta, the Health Information Act (HIA) defines an information manager. Generally, it is a special kind of an affiliate, usually a business or a vendor, who provides a service that does some specific task (authorized by the custodian) with health information. This could be a billing agent, accredited billing submitter, outsourced transcriptionist, EMR vendor or other service provider.

If you are using an EMR vendor, the named individuals on the IMA are the only persons that the software vendor can receive instructions on how to manage the records in the database. Often, this is the physician lead and business owner.

Sometimes, the custodian is also the information manager. For example, a physician (custodian) and business owner may assume the responsibility of ensuring the security of all the patient records authored by other custodians in the group practice. The physician / custodian / business owner / information manager must follow all the rules of the IMA and HIA.

Not every healthcare practice has an information manager. Some group practices have many information mangers providing different services. There are many details and options to consider. The discussion–and then putting it in writing–is the key to positive business relationship and secure records management.

Avoid surprises – and nasty exits

Some tips to prevent surprises:

Take a pro-active privacy role and inform patients how their information will be protected during the routine practice operations and when healthcare providers are added to – or leave – the practice.
Decide how you are going to decide about the on-going operational changes to how the software will be used in your practice.
Identify in the EMR software who is the primary (or default) healthcare provider for each patient. Talk with your software vendor how best to record this.

It’s never too late to start! If you missed creating an Information Management Agreement or Data Sharing Agreement in your group practice, do it now!

See the Digital Resources for samples that you can use.

Clinic on the Infographic to download

Download our Infographic, “What is an IMA?”

Watch the Video

business arrangement agreement, data sharing agreement, Health Information Act, HIA, IMA, information manager agreement, information sharing agreement, PIA, Practical Privacy Coach, Privacy Impact Assessment

Are You a Vendor That Supports Healthcare Practices?

Posted on January 14, 2016 by Jean Eaton in Blog

New healthcare business needs IT solutions and asking if you have a PIA

(what will you do about it?)

Healthcare practices throughout Canada and the US need IT services and have money to buy new hardware, software and service contracts. They also need a Privacy Impact Assessment (PIA) and want to work with a vendor who is PIA prepared.

Vendors are required to comply with the healthcare providers ‘PIA's and their privacy, confidentiality, and security best practices.

“A PIA should be as commonplace to a healthcare practice as a business plan is to a business.”

-Jean L. Eaton, Your Practical Privacy Coach

BUT most healthcare practices don't know this and often don't know that a PIA is usually part of their professional college requirements and often even a legislated requirement! Developing a PIA and the supporting policies and procedures will help a healthcare practice to prevent gross errors, omissions or attacks that could result in fines and even jail time for the business, healthcare provider, employee, or vendor. A vendor that supports healthcare practices must:

Understand the PIA process and the healthcare customer needs
Understand the requirements of legislation (for example, Health Information Act Regulations, Electronic Health Records Regulations, HIPAA, etc.) that the clinic must follow, it includes technical safeguards to protect privacy and confidentiality and security of patients' health information.
Makes sure that vendor's business practices meet privacy and safety legislation. This is an excellent opportunity for the seller to lead by example and demonstrate how to implement and follow best practices. This includes:
Having a named Privacy Officer
Implementing an internal privacy and security incident management program
Implementing a privacy awareness program for all of your employees
Providing an Information Management Agreement (IMA) or Business Agreement (BA) to the healthcare provider that meets regulations.

Not every healthcare practice knows all of the technical, physical, and administrative safeguards that should be in place to prevent the risks of unauthorized access, use, or disclosure of sensitive health information. A vendor that understands the requirements can make better recommendations for the healthcare practice. In fact, the experienced vendor can:

Create a premium value-added service to guide all new clinics with step by step instructions about the regulations and requirements of the service and
Profile how the vendor can best support the healthcare practice
Create more sales and help more customers by providing the services they need (even if they don't know it, yet!).
Coach the healthcare practice early in the sales process about how the vendor's services can support the healthcare practice. This results in less work and headache for both the practice and the provider.

Do you want to become the preferred vendor in this large customer niche?

You need to learn what the healthcare business needs to successfully complete their Privacy Impact Assessment. Then you can develop branded PIA Readiness Plan for your business that you can give to the healthcare provider to support them to create their PIA.

Have you seen this?

IT vendor Privacy Impact Assessment Readiness Plan

Brought to you by Jean L. Eaton, Your Practical Privacy Coach

Join Privacy Nuggets and get some more tips, tools, and templates that you can use right away to improve your privacy management program.

BA, health care, healthcare, IMA, IT vendor, PIA, Practical Privacy Coach, Privacy Impact Assessment, Privacy Impact Assessment Readiness Plan, vendor

Sharing Your EMR in a Shared Practice

Posted on November 10, 2014 by Meghan Davenport in PMN Replay, Practice Management Nugget Interview

Practice Management Nugget Webinar

Recorded live April 24th, 2014

Expert interview with Brandon Blanck and Rita Hielema of Microquest

Practice Management Nuggets is a weekly interview series with practice managers, healthcare providers, or trusted vendors who support healthcare practices. Topics includes things you need to know to help you start, grow, fix, or maintain your healthcare practice. The events will be short—about 30 minutes—with nuggets of information that you can use right away.

Practice Management Nuggets’© series is hosted by Jean Eaton (the Practice Management Mentor) of Information Managers Ltd.

Brandon Blanck is the Vice President of Microquest, and Rita Hielema is the Business Development & Account Manager. Microquest is today's leading practice management software. Microquest's Healthquest software simplifies, automates, and streamlines the business processes in ways that make it easy to organize, plan, and make decisions quickly and with confidence.

Brandon and Rita are going to talk about how to implement and use an EMR in a shared group practice. You will learn:

The importance of having a clear understanding of how patient records in a shared EMR database are controlled
Learn how to use an Information Management Agreement for Patient Records

You will also hear some stories from Brandon and Rita about scenarios they have encountered in group practices – the good, the bad, and the ugly of a shared database when a physician leaves.

Bonus! Download Now – Infographic IMA Patient Records

Tweet this!

data sharing agreement, IMA, information manager agreement, Microquest, Practical Privacy Coach, Practice Management Mentor, privacy

Sharing Your EMR in a Group Practice PMN Replay

Posted on March 2, 2014 by Meghan Davenport in PMN Replay, Practice Management Nugget Interview

Sharing Your EMR in a Group Practice – an interview with Brandon Blanck & Rita Hielema of Microquest.

Recorded live on Thursday, April 24th

Our guests: Brandon Blanck is the Vice President and Fatima Haymour, Client Services Representative of Microquest. Microquest is today's leading practice management software.

Brandon and Fatima shared keys to sharing your EMR Database in a shared practice:

The importance of having a clear understanding of how patient records in a shared EMR database are controlled.
- Know that the Information Manager Agreement between the software vendor and the named individual on the contract are the only individuals that the software vendor can receive instructions on how to manage the records in the database.
- As a group healthcare practice, have a clear understanding and supporting documents that sets out how patient records will be collected, used, and disclosed during the group practice and whenever the membership of the group practice changes.
- Take a pro-active privacy role and inform patients how their information will be protected during the routine practice operations and when healthcare providers are added – or leave – the practice.
- Decide how you are going to decide about the on-going operational changes to how the software will be used in your practice.
Identify in the EMR software who is the primary (or default) healthcare provider for each patient. Talk with your software vendor how best to record this.
It's never too late to start! If you missed creating an Information Management Agreement or Data Sharing Agreement in your group practice, do it now! See the resources for samples that you can use.

You will also hear some stories from Brandon and Fatima about scenarios they have encountered in group practices – the good, the bad, and the ugly of a shared database when a physician leaves.

Resources: