Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

Before You Close Your Healthcare Practice

Posted on July 28, 2020 by Jean Eaton in Blog

Thinking About Closing Your Healthcare Practice?

Are you considering closing, moving, or merging your healthcare practice?

Sometimes this is a tough decision to make. Sometimes this is something that you have been looking forward to or an opportunity too good to pass up. Sometimes, there is a dispute between the associates or the business is profitable.

Regardless of how you get to this decision, when you decide to close your business, you will need to plan how you will continue to manage your patient records.

Closing or moving a healthcare provider practice takes co-ordination, patience, communication, and documentation. You will need to plan the continued administrative, technical, and physical safeguards of the patient health records.

Patients and clients have a unique trust with their healthcare provider. They trust that you will provide them continuing healthcare and continued access to their own health information that you have recorded. You are also expected to securely keep their personal health information and follow your professional college standards and health information privacy laws.

Manage Your Patient Records

You have a number of responsibilities when it comes to protecting the data you've collected from your patients.

Generally, you have a few options:

•Inform your patients that your business is closing and that they can request their patient records to be transferred to another provider now and provide your contact information that they can contact you in the future. (You must maintain the patient records for 10 + years.)

•Arrange with another healthcare professional (custodian) to assume the care of your patient records. This would be applicable if another professional bought your practice. This might be your successor custodian.

•You could arrange with a third party provider (like Iron Mountain) to be your contact person to receive requests from patients for their information and process those requests. They will take over the secure storage of your patient records. There is a fee to do this.

Before You Close Or Move Your Practice

Follow these 5 important steps before you close or move your healthcare practice to ensure your continued privacy compliance!

1. Inventory All Your Existing Patient Records
2. Patient Records Systems
3. Agreements
4. Existing Documents
5. Privacy Impact Assessment Amendment Plan

Read the Practice Management Success Tip to find out more  to assist you with  your continued privacy compliance.

Updated! Practice Management Success Tip

In Closing or Moving Your Chiropractic / Healthcare Practice, you have access to template forms you can use right away, including:

  • Sample Letter to Patients – Chiropractor's Notice of Absence or Closing of Practice
  • Patient Record Transfer Authorization Form
  • Moving / Closing Poster for Clinic
  • Access to Patient Records

You also have access to procedure templates, so you can ensure that you keep an accurate inventory of your patient records, and that you record where they are stored or when they were destroyed.

These procedure templates include:

  • Inventory of Patient Records
  • Archive and Destruction Log
  • Data Quality Assurance
  • Quality Assurance Document Imaging (Scan) to EMR

 

Click Here to Download Close Or Move Your Chiropractic Practice

 

 

 

 

 

 

Click Here to Download Close Or Move Your Healthcare Practice

 

Listen to the Practice Management Nuggets Podcast Episode #090

 

Questions?

Ask me, Your Practice Management Mentor. 

closing a clinic, closing a medical prctice, closing your chiropractic practice, closing your healthcare practice, IMA, information management agreement, successor custodian

Why You Need To Get The Right Agreements With Your Vendors

Posted on February 4, 2020 by Jean Eaton in Blog

Donna Grindle knows having a business arrangement agreement between a healthcare provider and their business associate is very important in defining clearly the responsibilities of both parties.  

But, many healthcare providers, business owners, and vendors don’t get this right!

Donna shares her observations on the HIPAA violations trends from the United States so that healthcare providers and vendors in Canada can prevent similar experiences and avoid massive fines and penalties.

Donna Grindle is my guest expert on Practice Management Nuggets For Your Healthcare Practice.

Donna Grindle's #1 Tip to healthcare providers and vendors

Don’t assume. Ask questions! Click to Tweet

My Favorite Takeaways From The Podcast

  • Healthcare privacy and security regulations are more similar than different.
  • Educate as many people as possible about the importance of privacy and cybersecurity.
  • Don't assume that you don't have to ask questions.
  • Privacy is a civil right.
  • Under HIPAA, any business that provides a service to covered entities (healthcare providers) that requires them to have access to protected health information is then considered a business associate (BA).
  • BA's are separately and equally liable to protect patient information.
  • You must have a written agreement between your vendors and your healthcare providers that describes how you will protect patient health information. If you disclose personal information without a written agreement, you are breaking the law.
  • BAA / IMA must include liability clause.
  • Tips: Healthcare Provider Selecting A Vendor
  • Tips: Vendor Selecting A Healthcare Client
  • Cybersecurity insurance

Featured Guest: Donna Grindle

Image ladyFounder & CEO Kardon and
Co-Host Help Me With HIPAA Podcast

Donna brings over 30 years experience in healthcare IT which is the solid foundation of Kardon’s HIPAA privacy and security consulting. Donna stays busy with speaking engagements, the weekly Help Me With HIPAA podcast, and managing a business with a growing client list. Donna’s sense of humor and southern charm spills out into everything she does.

Be sure to tune in to my interview with Donna Grindle,

What Healthcare Practices Should Know About Vendor Vetting And Accountability | Episode #085

Listen To The Podcast Here
#PracticeManagementNugget, BAA, business associate agreement, Donna Grindle, healthcare, HIA, HIPAA, IMA, information manager agreement, podcast, privacy compliance, vendor vetting

The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

Posted on November 29, 2018 by Jean Eaton in Blog

In order to provide services, healthcare practices must collect pertinent information from patients. This data gathering often includes many sources of information, across different types of technology, among multiple vendors. Good business practices and health records management is supported by three agreements your healthcare must have: information manager agreement (IMA), information sharing agreement (ISA), and successor custodian agreement.

For instance, when a patient attends a clinic, their details are nearly always entered into a computer software program to maintain demographic information, manage patient appointments, and to process payments. Often, health service providers (including physicians, pharmacists, chiropractors, dentists, psychiatrists and more) record their patients’ notes into an electronic medical record (EMR).

Patient information is shared between providers where required. For example, when the patient visits a diagnostic lab for testing, results are often transmitted electronically to the ordering physician’s fax machine or to the EMR.

Custodians including physicians, pharmacists, chiropractors, dentists, and psychiatrists, as defined by the Alberta’s Health Information Act (HIA), must follow HIA legislation when they collect, use, and disclose health information.

Often, custodians are also the owners of independent healthcare practices. However, an owner of a healthcare practice is not the custodian if they are not also an active member of a regulated health profession named as custodians in the HIA.  

1. Information Manager Agreement

The HIA allows custodians to contract with other health service providers and vendors for the purposes of providing information management or information technology services, so patients can receive health services, and make payments. This often requires the custodian to share patient information with a vendor (or give them access to) so the vendor can process, store, or provide information as needed.

The custodian selects one or more business to provide the services, equipment, or software to assist in the management of health information. For example: EMR provider, contracted transcriptionist, billing agent, remote backup service, etc. These businesses are known in the HIA as information managers.

Before sharing health information with someone else, the custodian must ensure that the partners and vendors have reasonable safeguards in place to protect sensitive health information. The custodians must ensure that there is a written agreement between the custodian and the information manager. These agreements are known as “Information Manager Agreements.” This requirement is stated in the HIA section 66(2).

The Information Manager Agreement (IMA) is one of three crucial agreements a healthcare practice must have in place.

If You Don’t Have an IMA

If you are a custodian who uses vendors as part of your business and you do not have an IMA with that vendor…

  • You are in breach of the HIA.
  • You may incur fines under the HIA.
  • You may face sanctions and disciplinary actions from your professional regulatory college.
  • Almost certainly, you will encounter conflicts, poor communication, between yourself and the vendor(s) and the other participating custodians in your practice.
  • You may lose control of the health information as reported in the Investigation Report H2013-IR-01from the Alberta Office of the Information and Privacy Commissioner (OIPC).

In a press release from the Alberta OIPC in 2013, Information and Privacy Commissioner Jill Clayton noted that:

“The HIA allows custodians to disclose health information to IT service providers, such as EMR vendors, under an appropriate Information Manager Agreement. When custodians do not sign these agreements, they may find themselves in the unfortunate position of losing control over the health information they need to provide health services.”

Investigation Report H2013-IR-01 (https://www.oipc.ab.ca/news-and-events/news-releases/2013/investigation-report-h2013-ir-01.aspx)

Who Must Create the Information Manager Agreement?

The custodian is responsible to ensure that there is an appropriate IMA created and signed.

The information manager can assist the custodian by preparing templates of the IMA including specific details of the services that they will provide and the safeguards that the vendor will implement to protect personal health information.

Key Points About IMAs

A few important notes about IMAs.

  • IMA must be signed by the custodian.
  • Agreements signed by individuals who are not custodians are not valid under the HIA.
  • Custodians are required under the HIA to have an IMA with the vendor before disclosing health information. If there is no agreement in place, the custodian is in breach of the HIA.
  • Custodians are responsible for the health information that they collect, use, and disclose. Therefore, the custodian is responsible for the IMA and to ensure that the health information will be handled confidently and securely.

Key Points IMA

The custodian can select the best vendor and information manager for the job. The vendor who understands the requirements of the HIA and who can demonstrate that they have implemented the appropriate reasonable safeguards and can assist the custodian to develop an appropriate IMA is, in my opinion, demonstrating a significant competitive advantage.

All healthcare providers in a community practice should spend time when creating their business to establish good business practices, including developing written contracts and agreements to improve the efficiency of the business and to make things happen in the way that they are planned.

Here is a common example

Dr. Alice and Dr. Mark created a welcoming family medical practice in a new sub-division of their city. They each worked hard to attract new patients, hire and train staff, and develop a profitable business.

In the last few years, Alice and Mark had differences of opinion on how to grow their business. In the end, Alice decided that this type of practice wasn’t for her. She decided to leave and join a larger practice in a neighbouring subdivision. Alice wanted to take her patient’s records with her to her new practice and continue to see her patients at the new location.

Mark, who had signed the IMA with the EMR vendor, did not agree to Alice’s request to transfer her patient records to her new group practice.

Alice and Mark argued and eventually involved a professional mediator to help them resolve their business conflict. Hurt feelings between the providers and staff, costly delays in their business and expenses could have been avoided if Alice and Mark had established clear expectations in the event of the termination of their business partnership when they started their group practice. An IMA between custodians in a group practice is a recommended best practice.

When You Have Multiple Custodians in Your Healthcare Practice

When the practice has multiple providers, the owner and custodian frequently assumes responsibility for maintaining the contracts and IMAs with the vendors. Each of the participating healthcare providers may delegate the responsibility of maintaining the vendor arrangements to the custodian owner. This can be achieved with an IMA between the owner / custodian and each participating custodian.

Custodian Owner IMA

Each healthcare provider custodian is considered the custodian of the health information that they collect. The custodians can jointly agree to all use the same EMR. This provides continuity of care for the patients and economy of scale for the participants of the practice.

When the owner/custodian signs the agreement with the EMR, they become the signatory custodian. The EMR vendor takes their instructions from the signatory custodian.

The owner / custodian is now an information manager for all the participating custodians.  but does not become a custodian of the health information provided to them in their roles as an information manager.

For example,

Dr. Bill opened his medical practice, ABC Clinic. Later, additional physicians were recruited to work at ABC Clinic. The physicians are each custodians as defined by the HIA.

Dr. Bill assumes the responsibility for the operations of the clinic including the computer network and the contract with the EMR vendor. Dr. Bill is the information manager for the patient records at the clinic.

Each physician signs an IMA with Dr. Bill and agree that he will continue to manage the patient records on their behalf. Dr. Bill is operating as an information manager.

In his role of the information manager, Dr. Bill must follow the instructions from each physician, the custodian, as it relates to the management of their patients’ records.

2. Information Sharing Agreement (ISA)

When you have more than one physician in your practice, you need an agreement about how you will decide to manage the personal health information in your practice.

An Information Sharing Agreement (ISA) focuses on the internal decision making about all things related to personal health information whereas, an IMA is an agreement with a single vendor about the services that the vendor provides.

ISA IMA

An ISA may include things related to the services that a vendor provides but is not limited to just vendor services.

It also includes decisions about the process to ensure appropriate role based access to personal health information in the EMR, computer network, and paper formats; the regular review of health information privacy and security policies and procedures, ensuring privacy and security awareness training, the regular review of administrative, technical, and physical safeguards in the practice, and so on.

In larger organizations or when several smaller organizations participate in an information sharing initiative, a Data Management Committee may provide oversight and facilitate this process.

An ISA is a requirement of the College of Physicians and Surgeons of Alberta.

Identifying a successor custodian is also a requirement of the College of Physicians and Surgeons (CPSA).

3. Successor Custodianship Agreement

As a business owner, you need to plan a successor to the business. This might be an interim or short-term decision to ensure continuity during an absence or future retirement planning or unexpected illness or death.

In healthcare, physicians and custodians have the added responsibility as the ‘gatekeeper’ for patient records. In the event of a sudden inability to meet these responsibilities, physicians need to identify a successor custodian to ensure appropriate and continued access by patients to their health information for their continuing care and treatment and to ensure that the continuing confidentiality, security, and access to patient records continue to be fulfilled.

Have you identified a successor custodian? Each of the physicians in your group practice should also identify their own successor custodian.

This is a CPSA requirement and should also be included in the Privacy Impact Assessment if you have this information available. See CPSA, Patient Record Retention, s.5:

A regulated member acting as a custodian must designate a successor custodian to ensure the retention and accessibility of patient records in the event the regulated member is unable to continue as custodian. (Reference: Health Information Act Section 35(1)(q)

If you are a chiropractor, the Alberta College and Association of Chiropractors (ACAC) further requires its members to name a chiropractor as the successor custodian to maintain the status of ‘chiropractic’ records. (See the ACAC’s Standards of Practice s5.3 Custodianship of Health Records.)

A chiropractor, as a custodian of health records, is responsible for the care and control of the health records in their practices as required by the Health Information Act of Alberta. A custodian of active chiropractic files must be under the custody or control of an active, registered member of the ACAC.

Note that under the Health Information Act, a chiropractor may disclose files to another custodian who is not a chiropractor, and only a chiropractor may have custody or control of chiropractic files. Chiropractic files disclosed to a non-chiropractor should no longer be considered chiropractic files.

A custodian must implement technical and physical safeguards to protect the confidentiality of the information and privacy of individuals as well as protections against reasonably anticipated threats to the security or integrity of the information. A custodian must also defend against unauthorized uses, disclosures or modifications of the information. Safeguards must be periodically assessed and documented in policies and procedures.

If you are working in an owner/custodian scenario discussed above, clearly identifying a successor custodian becomes imperative. An unplanned absence of the owner / custodian can seriously jeopardize the business and the continuing care and treatment of patients.

The custodian can, but is not required to, name another custodian in the same practice to be their successor. Whatever your decision, ensure that this is well documented and easily accessible to the other custodians and key decision makers in your organization in the event of an emergency.

The best time to create IMA, ISA, and Successor Custodianship Agreements is when you start your healthcare business.

The second best time in now.

What are you waiting for?

If you need assistance, contact Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor with Information Managers. I’m here to help you with your Practice Management Success.

Download the FREE Report - Top 3 Agreements Your Healthcare Practice MUST Have

If you are a member of Practice Management Success, login here to access the Top 3 Agreements.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS 

chiropractors, dentists, health care, Health Information Act, healthcare, HIA, IMA, information management agreement, information manager agreement, information sharing agreement, ISA, medical, physicians, Practice Management Success, successor custodian

What is an Information Manager Agreement (IMA)?

Posted on October 25, 2017 by Jean Eaton in Blog

Having a clear agreement of how patient records will be maintained to ensure privacy, security, and confidentiality in a paper based patient record or in a shared EMR database is the objective of an Information Manager Agreement. This may also be called a Data Sharing Agreement, Information Sharing Agreement, or Business Associate Agreement.

Prenuptial Agreement

In a group healthcare practice, have a clear understanding in writing that sets out how patient records will be collected, used, and disclosed during the group practice is critical to the security of the patient information, health service provider information, and good will between members of the group practice. Think of this as the ‘prenuptial' agreement in your business relationship.

Who is an Information Manager?

In Alberta, the Health Information Act (HIA) defines an information manager.  Generally, it is a special kind of an affiliate, usually a business or a vendor, who provides a service that does some specific task (authorized by the custodian) with health information.  This could be a billing agent, accredited billing submitter, outsourced transcriptionist, EMR vendor or other service provider.

If you are using an EMR vendor, the named individuals on the IMA are the only persons that the software vendor can receive instructions on how to manage the records in the database. Often, this is the physician lead and business owner.

Sometimes, the custodian is also the information manager. For example, a physician (custodian) and business owner may assume the responsibility of ensuring the security of all the patient records authored by other custodians in the group practice.  The physician / custodian / business owner / information manager must follow all the rules of the IMA and HIA.

Not every healthcare practice has an information manager.  Some group practices have many information mangers providing different services.  There are many details and options to consider.  The discussion–and then putting it in writing–is the key to positive business relationship and secure records management.

Avoid surprises – and nasty exits

Some tips to prevent surprises:

  • Take a pro-active privacy role and inform patients how their information will be protected during the routine practice operations and when healthcare providers are added to – or leave – the practice.
  • Decide how you are going to decide about the on-going operational changes to how the software will be used in your practice.
  • Identify in the EMR software who is the primary (or default) healthcare provider for each patient. Talk with your software vendor how best to record this.

It’s never too late to start! If you missed creating an Information Management Agreement or Data Sharing Agreement in your group practice, do it now!

See the Digital Resources for samples that you can use.

Infographic_IMA_Patient_Records_Image

Clinic on the Infographic to download

Download our Infographic, “What is an IMA?”

 

 

 

 

 

 

Watch the Video

business arrangement agreement, data sharing agreement, Health Information Act, HIA, IMA, information manager agreement, information sharing agreement, PIA, Practical Privacy Coach, Privacy Impact Assessment

Are You a Vendor That Supports Healthcare Practices?

Posted on January 14, 2016 by Jean Eaton in Blog

New healthcare business needs IT solutions and asking if you have a PIA

(what will you do about it?)

Healthcare practices throughout Canada and the US need IT services and have money to buy new hardware, software and service contracts. They also need a Privacy Impact Assessment (PIA) and want to work with a vendor who is PIA prepared.

Vendors are required to comply with the healthcare providers ‘PIA's and their privacy, confidentiality, and security best practices.

“A PIA should be as commonplace to a healthcare practice as a business plan is to a business.”

-Jean L. Eaton, Your Practical Privacy Coach

BUT most healthcare practices don't know this and often don't know that a PIA is usually part of their professional college requirements and often even a legislated requirement! Developing a PIA and the supporting policies and procedures will help a healthcare practice to prevent gross errors, omissions or attacks that could result in fines and even jail time for the business, healthcare provider, employee, or vendor. A vendor that supports healthcare practices must:

  • Understand the PIA process and the healthcare customer needs
  • Understand the requirements of legislation (for example, Health Information Act Regulations, Electronic Health Records Regulations, HIPAA, etc.) that the clinic must follow, it includes technical safeguards to protect privacy and confidentiality and security of patients' health information.
  • Makes sure that vendor's business practices meet privacy and safety legislation. This is an excellent opportunity for the seller to lead by example and demonstrate how to implement and follow best practices. This includes:
  • Having a named Privacy Officer
  • Implementing an internal privacy and security incident management program
  • Implementing a privacy awareness program for all of your employees
  • Providing an Information Management Agreement (IMA) or Business Agreement (BA) to the healthcare provider that meets regulations.

Vendor_largeNot every healthcare practice knows all of the technical, physical, and administrative safeguards that should be in place to prevent the risks of unauthorized access, use, or disclosure of sensitive health information. A vendor that understands the requirements can make better recommendations for the healthcare practice. In fact, the experienced vendor can:

  • Create a premium value-added service to guide all new clinics with step by step instructions about the regulations and requirements of the service and
  • Profile how the vendor can best support the healthcare practice
  • Create more sales and help more customers by providing the services they need (even if they don't know it, yet!).
  • Coach the healthcare practice early in the sales process about how the vendor's services can support the healthcare practice. This results in less work and headache for both the practice and the provider.

Do you want to become the preferred vendor in this large customer niche?

You need to learn what the healthcare business needs to successfully complete their Privacy Impact Assessment. Then you can develop branded PIA Readiness Plan for your business that you can give to the healthcare provider to support them to create their PIA.

 

Have you seen this?

IT vendor Privacy Impact Assessment Readiness Plan

 

Brought to you by Jean L. Eaton, Your Practical Privacy Coach

Join Privacy Nuggets and get some more tips, tools, and templates that you can use right away to improve your privacy management program.

 

BA, health care, healthcare, IMA, IT vendor, PIA, Practical Privacy Coach, Privacy Impact Assessment, Privacy Impact Assessment Readiness Plan, vendor

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

"The thing that I liked about the 'Engage your patients using automated tools' webinar interview was ideas to have patients engaged in their own health care instead of us doing all the work, simply put. There were a few ideas about how to achieve this in the long run."

--Practice Management Nugget event, 'Engage your patients using automated tools' with Karol Clark

- Michelle from Wabasca

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2022 Information Managers Ltd.

Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}