Does Your Healthcare Practice Need an Information Manager Agreement For Your Shredding Service?

Posted on April 1, 2019 by Jean Eaton in Blog

Q: We are selecting a vendor to look after our shredding. Do we need an information management agreement (IMA)?

A: Yes, you need an information manager agreement (IMA) with your shredding vendor.

Think about all the health information that you have authorized them to manage on your behalf. You certainly want to select a reputable vendor who will pick up the paper and securely transport it to their facility for secure shredding.

The Health Information Act (HIA) allows custodians to contract with other health service providers and vendors for the purposes of providing information management or information technology services, like shredding. This requires the custodian to give the vendor access to the papers with health information so that the vendor can securely destroy the paper.

The shredding vendor is known under the HIA as an information manager.

The custodian must ensure that the vendor has reasonable safeguards in place to protect the sensitive health information. The custodians must also ensure that there is a written agreement between the custodian and the information manager. These agreements are known as “Information Manager Agreements.” This requirement is stated in the HIA section 66(2).

There are many reputable vendors from which to choose

Some vendors will do the shredding right in your parking lot; others will transport it to their processing facility.

Remember to ask for a certificate of destruction at the completion of the shredding to document the secure destruction of the paper. Some vendors require a witness from the clinic to confirm that the shredding was done securely.

Some vendors can offer a recycling program for the paper after it has been securely shredded.

Ask your shredding vendor for an IMA. This is different than a service agreement where you agree to pay a fee for the shredding service.

For more information on what is an IMA, see the e-book, Top 3 Agreements Your Healthcare Practice MUST Have (and Why).

health, healthcare, information management agreement, information manager agreement, shredding

The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

Posted on November 29, 2018 by Jean Eaton in Blog

In order to provide services, healthcare practices must collect pertinent information from patients. This data gathering often includes many sources of information, across different types of technology, among multiple vendors. Good business practices and health records management is supported by three agreements your healthcare must have: information manager agreement (IMA), information sharing agreement (ISA), and successor custodian agreement.

For instance, when a patient attends a clinic, their details are nearly always entered into a computer software program to maintain demographic information, manage patient appointments, and to process payments. Often, health service providers (including physicians, pharmacists, chiropractors, dentists, psychiatrists and more) record their patients’ notes into an electronic medical record (EMR).

Patient information is shared between providers where required. For example, when the patient visits a diagnostic lab for testing, results are often transmitted electronically to the ordering physician’s fax machine or to the EMR.

Custodians including physicians, pharmacists, chiropractors, dentists, and psychiatrists, as defined by the Alberta’s Health Information Act (HIA), must follow HIA legislation when they collect, use, and disclose health information.

Often, custodians are also the owners of independent healthcare practices. However, an owner of a healthcare practice is not the custodian if they are not also an active member of a regulated health profession named as custodians in the HIA.

1. Information Manager Agreement

The HIA allows custodians to contract with other health service providers and vendors for the purposes of providing information management or information technology services, so patients can receive health services, and make payments. This often requires the custodian to share patient information with a vendor (or give them access to) so the vendor can process, store, or provide information as needed.

The custodian selects one or more business to provide the services, equipment, or software to assist in the management of health information. For example: EMR provider, contracted transcriptionist, billing agent, remote backup service, etc. These businesses are known in the HIA as information managers.

Before sharing health information with someone else, the custodian must ensure that the partners and vendors have reasonable safeguards in place to protect sensitive health information. The custodians must ensure that there is a written agreement between the custodian and the information manager. These agreements are known as “Information Manager Agreements.” This requirement is stated in the HIA section 66(2).

The Information Manager Agreement (IMA) is one of three crucial agreements a healthcare practice must have in place.

If You Don’t Have an IMA

If you are a custodian who uses vendors as part of your business and you do not have an IMA with that vendor…

You are in breach of the HIA.
You may incur fines under the HIA.
You may face sanctions and disciplinary actions from your professional regulatory college.
Almost certainly, you will encounter conflicts, poor communication, between yourself and the vendor(s) and the other participating custodians in your practice.
You may lose control of the health information as reported in the Investigation Report H2013-IR-01from the Alberta Office of the Information and Privacy Commissioner (OIPC).

In a press release from the Alberta OIPC in 2013, Information and Privacy Commissioner Jill Clayton noted that:

“The HIA allows custodians to disclose health information to IT service providers, such as EMR vendors, under an appropriate Information Manager Agreement. When custodians do not sign these agreements, they may find themselves in the unfortunate position of losing control over the health information they need to provide health services.”

Investigation Report H2013-IR-01 (https://www.oipc.ab.ca/news-and-events/news-releases/2013/investigation-report-h2013-ir-01.aspx)

Who Must Create the Information Manager Agreement?

The custodian is responsible to ensure that there is an appropriate IMA created and signed.

The information manager can assist the custodian by preparing templates of the IMA including specific details of the services that they will provide and the safeguards that the vendor will implement to protect personal health information.

Key Points About IMAs

A few important notes about IMAs.

IMA must be signed by the custodian.
Agreements signed by individuals who are not custodians are not valid under the HIA.
Custodians are required under the HIA to have an IMA with the vendor before disclosing health information. If there is no agreement in place, the custodian is in breach of the HIA.
Custodians are responsible for the health information that they collect, use, and disclose. Therefore, the custodian is responsible for the IMA and to ensure that the health information will be handled confidently and securely.

Key Points IMA

The custodian can select the best vendor and information manager for the job. The vendor who understands the requirements of the HIA and who can demonstrate that they have implemented the appropriate reasonable safeguards and can assist the custodian to develop an appropriate IMA is, in my opinion, demonstrating a significant competitive advantage.

All healthcare providers in a community practice should spend time when creating their business to establish good business practices, including developing written contracts and agreements to improve the efficiency of the business and to make things happen in the way that they are planned.

Here is a common example

Dr. Alice and Dr. Mark created a welcoming family medical practice in a new sub-division of their city. They each worked hard to attract new patients, hire and train staff, and develop a profitable business.

In the last few years, Alice and Mark had differences of opinion on how to grow their business. In the end, Alice decided that this type of practice wasn’t for her. She decided to leave and join a larger practice in a neighbouring subdivision. Alice wanted to take her patient’s records with her to her new practice and continue to see her patients at the new location.

Mark, who had signed the IMA with the EMR vendor, did not agree to Alice’s request to transfer her patient records to her new group practice.

Alice and Mark argued and eventually involved a professional mediator to help them resolve their business conflict. Hurt feelings between the providers and staff, costly delays in their business and expenses could have been avoided if Alice and Mark had established clear expectations in the event of the termination of their business partnership when they started their group practice. An IMA between custodians in a group practice is a recommended best practice.

When You Have Multiple Custodians in Your Healthcare Practice

When the practice has multiple providers, the owner and custodian frequently assumes responsibility for maintaining the contracts and IMAs with the vendors. Each of the participating healthcare providers may delegate the responsibility of maintaining the vendor arrangements to the custodian owner. This can be achieved with an IMA between the owner / custodian and each participating custodian.

Custodian Owner IMA

Each healthcare provider custodian is considered the custodian of the health information that they collect. The custodians can jointly agree to all use the same EMR. This provides continuity of care for the patients and economy of scale for the participants of the practice.

When the owner/custodian signs the agreement with the EMR, they become the signatory custodian. The EMR vendor takes their instructions from the signatory custodian.

The owner / custodian is now an information manager for all the participating custodians. but does not become a custodian of the health information provided to them in their roles as an information manager.

For example,

Dr. Bill opened his medical practice, ABC Clinic. Later, additional physicians were recruited to work at ABC Clinic. The physicians are each custodians as defined by the HIA.

Dr. Bill assumes the responsibility for the operations of the clinic including the computer network and the contract with the EMR vendor. Dr. Bill is the information manager for the patient records at the clinic.

Each physician signs an IMA with Dr. Bill and agree that he will continue to manage the patient records on their behalf. Dr. Bill is operating as an information manager.

In his role of the information manager, Dr. Bill must follow the instructions from each physician, the custodian, as it relates to the management of their patients’ records.

2. Information Sharing Agreement (ISA)

When you have more than one physician in your practice, you need an agreement about how you will decide to manage the personal health information in your practice.

An Information Sharing Agreement (ISA) focuses on the internal decision making about all things related to personal health information whereas, an IMA is an agreement with a single vendor about the services that the vendor provides.

ISA IMA

An ISA may include things related to the services that a vendor provides but is not limited to just vendor services.

It also includes decisions about the process to ensure appropriate role based access to personal health information in the EMR, computer network, and paper formats; the regular review of health information privacy and security policies and procedures, ensuring privacy and security awareness training, the regular review of administrative, technical, and physical safeguards in the practice, and so on.

In larger organizations or when several smaller organizations participate in an information sharing initiative, a Data Management Committee may provide oversight and facilitate this process.

An ISA is a requirement of the College of Physicians and Surgeons of Alberta.

Identifying a successor custodian is also a requirement of the College of Physicians and Surgeons (CPSA).

3. Successor Custodianship Agreement

As a business owner, you need to plan a successor to the business. This might be an interim or short-term decision to ensure continuity during an absence or future retirement planning or unexpected illness or death.

In healthcare, physicians and custodians have the added responsibility as the ‘gatekeeper’ for patient records. In the event of a sudden inability to meet these responsibilities, physicians need to identify a successor custodian to ensure appropriate and continued access by patients to their health information for their continuing care and treatment and to ensure that the continuing confidentiality, security, and access to patient records continue to be fulfilled.

Have you identified a successor custodian? Each of the physicians in your group practice should also identify their own successor custodian.

This is a CPSA requirement and should also be included in the Privacy Impact Assessment if you have this information available. See CPSA, Patient Record Retention, s.5:

A regulated member acting as a custodian must designate a successor custodian to ensure the retention and accessibility of patient records in the event the regulated member is unable to continue as custodian. (Reference: Health Information Act Section 35(1)(q)

If you are a chiropractor, the Alberta College and Association of Chiropractors (ACAC) further requires its members to name a chiropractor as the successor custodian to maintain the status of ‘chiropractic’ records. (See the ACAC’s Standards of Practice s5.3 Custodianship of Health Records.)

A chiropractor, as a custodian of health records, is responsible for the care and control of the health records in their practices as required by the Health Information Act of Alberta. A custodian of active chiropractic files must be under the custody or control of an active, registered member of the ACAC.

Note that under the Health Information Act, a chiropractor may disclose files to another custodian who is not a chiropractor, and only a chiropractor may have custody or control of chiropractic files. Chiropractic files disclosed to a non-chiropractor should no longer be considered chiropractic files.

A custodian must implement technical and physical safeguards to protect the confidentiality of the information and privacy of individuals as well as protections against reasonably anticipated threats to the security or integrity of the information. A custodian must also defend against unauthorized uses, disclosures or modifications of the information. Safeguards must be periodically assessed and documented in policies and procedures.

If you are working in an owner/custodian scenario discussed above, clearly identifying a successor custodian becomes imperative. An unplanned absence of the owner / custodian can seriously jeopardize the business and the continuing care and treatment of patients.

The custodian can, but is not required to, name another custodian in the same practice to be their successor. Whatever your decision, ensure that this is well documented and easily accessible to the other custodians and key decision makers in your organization in the event of an emergency.

The best time to create IMA, ISA, and Successor Custodianship Agreements is when you start your healthcare business.

The second best time in now.

What are you waiting for?

If you need assistance, contact Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor with Information Managers. I’m here to help you with your Practice Management Success.

Download the FREE Report - Top 3 Agreements Your Healthcare Practice MUST Have

If you are a member of Practice Management Success, login here to access the Top 3 Agreements.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

chiropractors, dentists, health care, Health Information Act, healthcare, HIA, IMA, information management agreement, information manager agreement, information sharing agreement, ISA, medical, physicians, Practice Management Success, successor custodian

Data Privacy Day 2018 Events for You!

Posted on January 14, 2018 by Jean Eaton in Blog

Data Privacy Day is an internationally recognized day dedicated to creating awareness about the importance of privacy and protecting personal information.

Information Managers Ltd is a Data Privacy Champion!

As a DPD Champion, Information Managers recognizes and supports the principle that organizations, businesses, and government all share the responsibility to be conscientious stewards of data by respecting privacy, safeguarding data and enabling trust.

“Each of us is responsible to manage our name and our identity. When you share your personal information, you have the right and responsibility to ask the person or business why they need the information and how they will protect your personal information.”

Jean L. Eaton, Your Practical Privacy Coach of Information Managers Ltd.

Data Privacy Day Activities

“How to Hire a Business Associate With Confidence”

What Healthcare Providers Need to Know about Business Associate Agreements and Information Manager Agreements

To celebrate Data Privacy Day, Information Managers is hosting a free 30-minute webinar with guest expert Kimberly Shutters, BCS, is the founder and CEO of HIPAA alli on Tuesday January 23.

Health care providers are responsible to know how their business associates secure protected health information.

But, how do you select, monitor, and demand high standards from your vendors and business associates?

In this Privacy Nugget Webinar Kimberly Shutters of HIPAA alli and Jean Eaton will discuss frequently asked questions about Business Associate and Information Manager Agreements.

The healthcare provider is responsible for the privacy, confidentiality, integrity and availability and the security of the personal protected health information regardless where the information is kept and who you authorized to create, receive, maintain and transmit the PHI.

Health care providers and business associates need to work together to protect health information.

Make sure your business associates are not putting you at greater risk of privacy and security breach, penalties, sanctions and even jail!

Join the discussion on Information Management Agreements, Information Sharing Agreements, and Business Agreements in healthcare.

Kimberly Shutters is a powerful advocate for HIPAA Privacy, Security, Breach compliance activities for health care entities and business associates.

The mission of her consulting practice, HIPPA alli, is to ensure that her clients understand how their daily activities impact the privacy and security of their patient’s Protected Health Information (PHI).

Along with your registration for the event you'll also receive occasional PRIVACY NUGGETS emails designed to provide to you tips, tools, templates and training that you can use right away!

“Talk Shop – Protect Your Business from Information Breaches”

Jean Eaton is a guest on Lauren Sergy’s “Talk Shop” YouTube channel.

Talk Shop learn from industry experts to be a better communicator in work and in life hosted by @lsergy. Privacy tips for business owners just in time for Data Privacy Day!

Talk Shop learn from industry experts to be a better communicator in work and in life hosted by Lauren Sergy!

I Heart Privacy!

Just in time for Data Privacy Day!

Print badges for your team.

Right-Click the image and select ‘Save As' to download and insert the image into your favourite templates to make badges or stickers or labels.

Or, use the done-for-you sheet of labels that you can print right away and slip into badge holders or print to stickers or labels.

I Heart Privacy DPD Badges I Heart Privacy Badges

You can even customize the labels and add your business name!

“Data Privacy Day Forum in Edmonton”

Alberta’s Office of the Information and Privacy Commissioner (OIPC) OIPC is hosting a free event on Monday January 22 including topics on artificial intelligence and big data. Register at https://www.oipc.ab.ca/.

Follow Us On Social Media!

Each day from Jan 22 – 28, we will have for daily privacy tips, and free links to additional resources on our social media accounts that you can download right away! Follow us!

Stay Safe Online

For more information about how to get involved in Data Privacy Day and the Champions program, visit https://staysafeonline.org/dpd . You can also follow the campaign on Twitter at @DataPrivacyDay or Facebook at https://www.facebook.com/DataPrivacyNCSA and use the official hashtag #PrivacyAware to join the conversation.

Please use the social share buttons below to share these Data Privacy Day activities with your friends and colleagues.

#DataPrivacyDayHealthcare, business associate agreement, Data Privacy Day, Data Privacy Day Champion, Data Privacy Day Edmonton, information management agreement

IT Vendor Privacy Impact Assessment Readiness Plan

Posted on January 9, 2016 by Jean Eaton in Blog, Vendor

New healthcare business needs IT solution asks if you have a PIA (what are you going to do about it?)

Healthcare practices throughout Canada and US need IT services and have money to buy new hardware and service contracts. They also need a Privacy Impact Assessment and want to work with a vendor who is PIA prepared.

You don’t want to lose that sale, do you?

Learn what the healthcare business needs to successfully complete their Privacy Impact Assessment. Develop your own responses and move to the top of their preferred vendors list.

I have developed an on-line interactive course to help you learn everything you need in order to create, review, or amend your own Privacy Impact Assessment Readiness plan. The E-course, Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments – A Complete Step-by-Step Course includes 5 modules each with a weekly live webinar, as well as templates, tools,resources and one common case study to build on each week.

Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments – A Complete Step-by-Step Course will help you

Understand the Privacy Impact Assessment process and the healthcare client needs
Organize your business marketing to meet the healthcare clients requirements
Be informed
Be proactive
Improve your internal business documentation
Be efficient and reduce the administration delays between procurement and installation
Create a branded Privacy Impact Assessment Readiness plan to give to that caller and get the sale.

Let the Practical Privacy Coach help you!

Video by Trish Findlay – explaindiowhiz on Fiverr

If you are a vendor that supports healthcare practices this e-course is for you!

BONUS! One hour tele-consult with Jean, “Create a branded Privacy Impact Assessment Readiness Package”. Jean will work individually with you to review your documentation and coach you on how to prepare the package to give to healthcare practices.

BONUS! Vendor PIA live webinar includes Vendor non-disclosure agreement, Information Manager Agreement, GAP Analysis, Computer Network Narrative templates.

The modules include:

Module 1:

What is a PIA?

Tuesday, January 12, 2016

9 - 10 am MST

Module 2:

What is an Information Flow?

Tuesday, January 19, 2016

9 - 10 am MST

Module 3:

What is a Risk Analysis?

Tuesday, January 26, 2016

9 - 10 am MST

Module 4:

Pull it together into PIA format

Tuesday, February 2, 2016

9 - 10 am MST

Module 5:

Complete your PIA Submission

Tuesday, February 9, 2016

9 - 10 am MST

BONUS Module 6:

Vendor PIA

Tuesday, February 16, 2016

9 - 10 am MST

The replays, tools, and resources will be available to you for (almost) forever! If you miss a live webinar, or you will be away for some time during the course, you can catch up with the replays. The resources are yours to keep.

BONUS Three (3) open office drop-in group calls with Jean to help you get un-stuck with your PIA.

If you a vendor that supports healthcare practices this e-course is for you

BONUS One (1) hour tele-consult with Jean, “Create a branded Privacy Impact Assessment Readiness Package”. Jean will work individually with you to review your documentation and coach you on how to prepare the package to give to healthcare practices.

BONUS Vendor PIA live webinar includes Vendor non-disclosure agreement, Information Manager Agreement, GAP Analysis, Computer Network Narrative templates.

If you provide services for any of these healthcare providers, they probably require a PIA and they require their vendors to support their PIA and privacy, confidentiality, and security best practices. This is for you if you are a vendor that supports a healthcare provider in a group or solo practice with direct patient care, for example a:

Physician
Pharmacist
Registered nurse
Optometrist or optician
Chiropractor
Physiotherapist
Midwife
Podiatrist
Dentist, dental hygienist or denturist
Audiologist
Mental health practicitioner
Laboratory, x-ray, and imaging technician
Paramedic

Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments –

A Complete Step-by-Step Course

5 live webinars, replays, templates tools, and resources

$450.00 (plus GST)

You will get

Learning Resource Guide for EACH module – how-to explanations, templates, and resource lists
Checklists to help you plan your PIA
MindMap of the entire PIA process
PIA project plan timeline templates
Checklists of personal and health information privacy and security policies that you need in your practice
Two sample case studies – one for a new PIA project and one for a PIA amendment – that we will use in each module. The case study is easy to understand by everyone. Use this approach for your PIA project.
Explanation and real-life examples of key terms that you need to know and include in your PIA
Strategies and templates of risk management assessments that you can customize
This E-course might qualify for CPE credits, too!

BONUS! Three (3) open office drop-in group calls with Jean to help you get un-stuck with your PIA.

BONUS! Checklist to update your PIA to meet recent changes to Alberta's Netcare Portal.

BONUS! Invitation to join a private LinkedIn Group with other registered participants of this course to network and support each other on your PIA journey and continue to help you after this course closes.

If you hired a consultant to do the work of the PIA process for you it may cost you as much as $2,000!

And then…when the consultant is done, they take their knowledge out the door with them.

Invest only $450 in this course and you'll have what you need to do your first PIA project today…and every project in the future!

Not sure if this is right for you?

How to Plan a PIA for Your Healthcare Practice – Practice Management Nugget webinar recorded live on December 3, 2015

Watch the replay here!

Watch the Preview of the E-Course, Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments.

Preview the E-Course here!

In this preview, Jean will tell you:

3 Biggest Myths about PIA's (and why they are not true)
Questions Privacy Officers, Clinic Managers, Practice Managers Should ask about PIA's but don't
Biggest fears about doing a PIA

Jean will share with you the Solution: Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments – A Complete Step-by-Step Course.

You will learn:

5 Modules of the E-course
What you get with the course
Why you should buy the course now

Complimentary access to the on-line course Privacy Awareness in Healthcare: Essentials $25 value

from our partner, Corridor Interactive when you purchase the E-course. One user subscription with access to the course for 3-months. Start this training now – a valuable introduction to Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments – A Complete Step-by-Step Course.

– Jean, Your Practical Privacy Coach

business associate agreement, GAP Analysis, information management agreement, PIA, Privacy Impact Assessment, vendor non-disclosure agreement