Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

Why Medical Practices Will Have to Offer Telemedicine in the Future to Compete

Posted on September 22, 2020 by Meghan in Blog

Did you know – it's a myth that patients don't want to use telehealth!

When your practice has efficient processes and in-office practice is streamlined, then you are ready to embark on seeing patients with telemedicine. The COVID-19 pandemic has been the catalyst for growth in telemedicine, and it will be an essential tool for healthcare providers in the future.

Dr. Michael Greiwe, founder of OrthoLive and SpringHealthLive telemedicine platforms is my guest on this episode of Practice Management Nuggets For Your Healthcare Practice!

He’s going to share with us how to increase your practice revenue, efficiency and patient satisfaction with telemedicine!

 

Dr. Michael Greiwe's #1 Tip to Healthcare Providers, Clinic Managers, and Privacy Officers

90% of Patients Prefer Telemedicine over in-office visits. Click to Tweet

 

My Favorite Takeaways From The Podcast

  • Telemedicine is the next tool that is going to make the job easier for physicians and better for patients
  • It's a digital health misconception that patients don't want to use telehealth
  • Patient access is the beauty and power of telemedicine
  • Get your office processes in good working order so that you can confidently implement telehealth solutions

Featured Guest: Dr. Michael Greiwe

OrthoLive & SpringHealthLive

Michael Greiwe, M.D., is a surgeon by day and tech guru by night. He is a practicing orthopaedic surgeon with OrthoCincy, near Cincinnati, Ohio, and the founder of the OrthoLive and SpringHealthLive telemedicine platforms. The platforms allow medical practices to deliver telemedicine visits through real-time HIPAA compliant video conferencing between provider and patient – increasing practice revenue, efficiency and patient satisfaction.

Dr. Greiwe is a nationally recognized expert on how telemedicine technology is changing the practice of medicine. TV news stations and podcasts across America have interviewed him about the future of telemedicine, and how to use it to improve the patient experience.

He attended the University of Notre Dame, where he won the prestigious Knute Rockne Award for excellence in academics and athletics. He completed his orthopaedic surgery training at the University of Cincinnati Department of Orthopaedic Surgery and Sports Medicine. In 2010, Dr. Greiwe completed his fellowship in shoulder, elbow and sports medicine at Columbia University, training with the head team physician for the New York Yankees, Dr. Christopher Ahmad.

To find out more, see OrthoLive and SpringHealthLive.

 

Be sure to tune in to my interview with Dr. Michael Greiwe

Why Medical Practices Will Have to Offer Telemedicine in the Future to Compete | Episode #095

Listen To The Podcast Here

You may also be interested in:

Remote Working and Virtual Care Privacy Impact Assessment Templates

#PracticeManagementNugget, clinic manager, COVID-19, Dr. Michael Greiwe, healthcare, medical, OrthoLive, pandemic, patient experience, podcast, SpringHealthLive, telehealth, telemedicine

Snooping Conviction Earns 3 Years’ Probation

Posted on September 14, 2020 by Jean Eaton in Blog

Do you have a privacy breach awareness program in place in your healthcare practice?

Spotting a privacy breach is the first step to stopping a privacy breach.

You Can Use This Privacy Breach Example to Review and Improve Your Practices.

This Is What Happened

The clinic recognized that one of their employees viewed the health records of close acquaintances, friends, and others in the community. She did not have a need to know this information to do her job.

In one case, the employee disclosed an individual’s health information to a friend.

In June 2018, a medical clinic in Alberta reported a privacy breach to the Alberta Office of the Information and Privacy Commissioner.

The OIPC opened an investigation and subsequently referred its findings to the Specialized Prosecutions Branch of Alberta Justice. Charges of an offence under the Health Information Act (HIA) were laid.

Unauthorized Access By Employees

On September 2, 2020 the clinic former employee plead guilty in court to breaching the HIA. It is an offence under HIA to knowingly gain or attempt to gain access to health information in contravention of the Act (section 107(2)(b)).

The judge sentenced the employee to

  • $6,000 fine
  • three years probation, and
  • 180 hours of community service

 

This breach was entirely preventable.

Keep this story in mind when you are trying to determine the return on investment to deliver privacy awareness training and EMR user monitoring tools to prevent and identify early snooping privacy incidents.

You can invest a little now with privacy awareness training . . . or you can pay over and over again for an investigation and bad publicity that never ends!

 

Privacy Breaches – What You Need to Know

1. Provide privacy awareness training for each employee and healthcare provider at orientation and regularly throughout the employment.

2. Collect the employee’s oath of confidentiality, including an acknowledgement that the employee understands the principles of using only access health information necessary to perform their job.

3. Monitor your users’ access to health information to quickly identify when a suspicious privacy incident occurs. The sooner you identify a privacy breach, the sooner you can limit the risk.

4. Implement your sanction policy when needed. Your sanctions policy clearly identifies the sanctions when an employee or healthcare provider is liable of an offence under the HIA.

5. Report a privacy breach to your custodians and healthcare providers, the Office of the Information and Privacy Commissioner, and the Minister of Alberta Health and the individuals affected by the breach.

 

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE 15 Minute Training Video "Can You Spot the Privacy Breach?"

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Not sure what is considered a privacy breach? See When is a Privacy Breach a Privacy Breach?

 

Do you do routine audits? Here’s how.

Are Your Employees Privacy Aware? Start now!

References

Edmonton Journal. Former Camrose medical clinic worker hit with fine, probation for snooping health records. Nicole Bergot, Sep 10, 2020. https://edmontonjournal.com/news/local-news/former-camrose-medical-clinic-worker-hit-with-fine-probation-for-snooping-health-records

Alberta OIPC. Multiple Penalties Issued to Individual Convicted of Health Information Breaches. https://www.oipc.ab.ca/news-and-events/news-releases/2020/multiple-penalties-issued-to-individual-convicted-of-health-information-breaches.aspx 

clinic, custodian, health, Health Information Act, healthcare, HIA, mandatory privacy breach notification, medical, physicians, privcy breach, probation, snooping in healthcare;

How AI Improves EMR Auditing

Posted on September 8, 2020 by Jean Eaton in Blog

Healthcare providers and clinic managers have three common myths about EMR user monitoring auditing.

Myth #1 – The electronic medical record EMR automatically does all the auditing – I don’t have to do anything

Myth #2 – I don’t have to audit my users – I know them

Myth #3 – I won’t have to worry about this until I have a breach

Rob Pruter, the User Monitoring Expert at SPHER is my guest on this episode of Practice Management Nuggets For Your Healthcare Practice!

He’s going to share with us how to protect your practice and your patients when you use Artificial Intelligence (AI) technology that can recognize unusual activities and generate a warning message.

Finally, an easy way to perform user monitoring and quickly recognize risks from external bad actors and employee snooping incidents!

Rob Pruter's #1 Tip to Healthcare Providers, Clinic Managers, and Privacy Officers

Nobody goes to the doctor to get their identity stolen! Click to Tweet

My Favorite Takeaways From The Podcast

  • Patients trust their healthcare providers – not just about their medical information, but personally identifying information, too.
  • Identity and access management is critical! Everyone needs a unique user ID.
  • Increasingly important given the trend to remote access and browser based EMR access. Don't be complacent just because you can't see the users.
  • Artificial Intelligence (AI ) technology can quickly recognize unusual activities and generate a timely warning message so that you can react appropriately.
  • You don’t know when someone’s credentials have been compromised. People’s personal circumstances change. You need to demonstrate reasonable safeguards including user monitoring.
  • Designate a person (privacy officer, compliance officer) in the organization responsible to ensure regular review of users’ behaviour. This has a significant impact on decreasing the likelihood of being impacted by a privacy and security breach.
  •  

Featured Guest: Rob Pruter

SPHER Inc.

Rob is the Chief Revenue Officer at SPHER, Inc.

He is responsible for all global sales, marketing, and partner revenue at SPHER, Inc.

For the past 20 years, he has successfully built marketing programs and partner alliances in the healthcare IT space with larger companies and innovative start-ups.

He has a passion for protecting patient privacy and cybersecurity for the healthcare industry.

And he is my new best friend with a passion to improve audit log monitoring!

To find more from Rob, download the brochure from SPHER!

 

Be sure to tune in to my interview with Rob Pruter

How AI Improves EMR Auditing | Episode #094

 

Listen To The Podcast Here
#PracticeManagementNugget, AI, artificial intelligence, audit log, audit trail, clinic manager, compliance, healthcare, medical, podcast, review, Rob Pruter, SPHER, user monitoring

CHIMA’s Emerging Privacy Management Practices in Health Care series

Posted on July 30, 2020 by Meghan in Blog

Emerging Privacy Management Practices in Health Care 

I'm tickled pink to be the facilitator for CHIMA's new continuing education series.

The Canadian Health Information Management Association (CHIMA) recently launched a live, 5-part privacy series, Emerging Privacy Management Practices in Health Care, beginning on August 6, 2020.

Telehealth and virtual care implementation has advanced 10 years in the last 3 months in response to the coronavirus (COVID-19) pandemic. This series covers the critical aspects of implementing modern privacy management practices in your health care organization. This series is suitable for individuals with privacy-related roles (e.g., managers, vendors, or employees) across the continuum of health care (e.g., acute, primary, long-term or community care).

Each module will cover a privacy-related topic area including privacy awareness, release of information (ROI), access and disclosure, security/cybersecurity, and breach management. Environment overviews are shared throughout the series along with new opportunities for health information professionals in both traditional and emerging roles. By keeping current with these trends, health information professionals will be better prepared to assume new roles within privacy management.

Attend the live webinars to participate in a Q&A period with series facilitator and industry expert Jean L. Eaton.

Learn more at echima.ca/privacy-series

Speakers:

Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor with Information Managers Ltd.

Jean L. Eaton is a Certified Health Information Management (CHIM) professional, and privacy awareness training facilitator.

She has had the honour of sharing her passion for practical privacy and confidentiality advice with hundreds of medical clinics, health care practices, and organizations across Canada and the United States.

Jean has over 20 years of experience in health information management and health care administration and over 15 years in her independent privacy consulting practice. She makes practical recommendations for thousands of independent health care providers to help them comply with privacy legislation and create efficient practices.

Jean is also a keynote speaker on the topic of privacy breach management and serves as an on-demand ‘virtual privacy officer’.

The live webinars will occur on the first Thursday of each month from August to December.

 

Module Date Time
1. Privacy awareness August 6, 2020 12:00 – 1:30 pm EST
2. Release of information September 3, 2020 12:00 – 1:30 pm EST
3. Access and disclosure in patient portals, information sharing, and health information exchange environment October 1, 2020 12:00 – 1:30 pm EST
4. Security/cybersecurity November 5, 2020 12:00 – 1:30 pm EST
5. Privacy breach management December 3, 2020 12:00 – 1:30 pm EST
Purchase Your Series Pass Here!
access, cybersecurity, health care, Health Information Management, healthcare, medical, privacy, privacy awareness, privacy management, security, telehealth, virtual care

Your Guide to Privacy & Security Measures for the Health Care Industry

Posted on June 11, 2020 by Meghan in Blog

I’m tickled pink to be a guest of Rafiki Technologies' EVOLUTION SERIES

Your Guide to Privacy & Security Measures for the Health Care Industry

Join Rafiki Technologies and Jean Eaton to learn effective ways to keep your patient information safe and secure.

Confidentiality and security of personal health information (PHI) are crucial in the health care industry. It's your job to keep your records safe and your patient's information private, confidential, and secure.

Electronic medical records (EMR) have many advantages but security concerns are attached. Internet hackers are able to access private information in a matter of minutes if the medical practice doesn't have strong security measures in place and well-trained staff.

Learn how to protect your patient data with Rafiki Technologies' President Naheed Shivji. He and his team have worked in the medical industry for many years and they understand how to integrate proper IT and security measures seamlessly into existing infrastructure.

Joining Naheed Shivji is a Certified Health Information Management Professional, Jean L. Eaton. Jean is exceptionally versed in privacy awareness training and tools and works alongside many healthcare providers to ensure they're using the right protocols to keep patient information protected while complying with privacy legislation. 

Speakers:

Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor with Information Managers Ltd.

I assist healthcare providers, clinic managers, practice managers, privacy officers, and independent healthcare practice owners with practical privacy awareness training and tools that are easy to implement, cost-effective, and meaningful to your day-to-day business.

As a Certified Health Information Management professional (CHIM), and privacy awareness training facilitator, I have had the honour to share my obsession about practical privacy and confidentiality advice with hundreds of medical clinics and healthcare practices and organizations across Canada and the US.

With over twenty years of experience in health information management and healthcare administration and over 15 years in my independent consulting practice, I have made practical recommendations for 1000’s of independent health care providers to help them comply with privacy legislation and create efficient practices.

 

Naheed Shivji, Founder & President of Rafiki Technologies Inc

Naheed has more than 20 years of experience in IT with expertise in the dental industry. He is a passionate entrepreneur helping companies understand and embrace technology and is always searching for business best-practices while giving back to the community.

Naheed works hands-on with his clients to develop winning IT strategies and smooth implementations. He is constantly learning and adapting to industry trends to maintain Rafiki Technologies’ position as a leading managed IT services company in Canada.

 

Your Guide to Privacy & Security Measures for the Health Care Industry

Tuesday, June 16th, 2020

6:00pm MDT

Watch the YouTube Video Here!
cybersecurity, datasecurity, healthcare, informationsecurity, medical, privacy, security

Here’s a Common Telehealth Workflow Process

Posted on April 22, 2020 by Meghan in Blog

With so many changes to daily lives and schedules due to COVD-19, healthcare practices are also changing. I think that these experiences have probably advanced telehealth, virtual care, and digital health initiatives ten years in the space of six weeks.

If you have been experiencing a whiplash headache from the speed of the changes to your practice management, you are not alone!

I am committed to help you with policy, procedure, and privacy impact assessment templates and resources to support you as you implement remote working and virtual care for your patients.

Use these policy and procedure and privacy impact assessment templates to help you provide virtual care while remote working and maintain reasonable safeguards to protect the privacy and security of personal health information.

If you are moving into remote working and virtual care or telehealth, it’s important that you have anticipated the risk to privacy, confidentiality, and security of patient information and have planned appropriate safeguards to prevent harm.

Patients don’t always know to ask questions about the risks of using new virtual care technology. Custodians and clinicians have a responsibility under the Health Information Act to inform patients about any additional risks to their privacy and health information while using technology in new ways. You could include this in your workflow when the patient appointment is made and the receptionist provides this information. Immediately prior to the on-line consultation, the clinician may review the collection consent and respond to questions from the patient before beginning the clinical encounter.

You might also have a legal requirement in Alberta to submit a privacy impact assessment to the Office of the Information and Privacy Commissioner.

If your healthcare practice is implementing remote working or virtual care, you need to notify the OIPC.

Health information is sensitive information. Reasonable efforts must be made to ensure that identifying and sensitive information is protected from unauthorized access, loss, or damage during and outside work hours. What a custodian may consider is reasonable efforts during a pandemic may be different than reasonable efforts from normal circumstances.

In Alberta, section 64 of the Health Information Act (HIA) requires custodians to prepare a privacy impact assessment (PIA) and submit it to the Office of the Information and Privacy Commissioner (OIPC) of Alberta prior to implementing a new administrative or technical process in a healthcare practice.

During the pandemic, the OIPC of Alberta requests an email now to outline your implementation plan. Then, promise to follow-up with a Privacy Impact Assessment submission in a few weeks.

Remote Working and Virtual Care  Policy, Procedure, and PIA Templates

Templates are a time-saving tool for anyone looking to move into remote working, telehealth or virtual care solutions. Your on-line course includes instant access to checklists and resources to help you select the best virtual care options.

The policies and procedures templates will help every clinician thinking of authorizing some (or all) of your staff to remote work from home and / or provide virtual care while ensuring the privacy and security of health information.

The templates are delivered to you inside the on-line course management platform called Ruzuku. The instructions and the templates are delivered in 6 lessons. The instructions in each lesson will take you less than 5 minutes each to read.

Then, you download the templates from Ruzuku to your computer and modify each template with your clinic-specific information. Editing the MS Word templates will take you about 3 hours. I can’t estimate the amount of time that you will require to read the templates, gather information and making decisions about your remote working and virtual care project.

As you build your policies and procedures and the supporting documents, you will copy and paste them into the key sections of your PIA.

 

Virtual Care Workflow

There are many ways to implement virtual care or telehealth in your practice. A common workflow process includes:

Schedule the Patient Appointment – Reception

Schedule the patient appointment in the EMR.

Telephone or send a secure email to the patient with the

  • Appointment confirmation and instructions on how to use the video conference solution;
  • Collection notice; and
  • Privacy Officer contact information.

Request the patient to sign or verbally consent to the use electronic communication.

Time of Appointment – MOA

Receptionist / MOA initiates the video conference call with the patient.

Ensure patient can connect and hear the audio / see the video or shared screen.

Verify the patient identity.

Invite the clinician to join the video conference / make host of the call.

Notice of Collection / Consent – Clinician

Introduce yourself.

Review the Notice of Collection and Consent and respond to any questions.

Confirm that the patient is in an appropriately private location.

Document Patient Encounter – Clinician

Confirm the patient’s understanding of the assessment and plan.

Arrange to send any prescriptions to pharmacies and any requisitions or referrals to the patient or the appropriate office/facility.

Complete the clinic note in the patient record.

Is Remote Working and Virtual Care Here To Stay?

Many practices are finding benefits to having flexibility to allow staff to work from home to accommodate illness, child care disruptions,  and business continuity planning. Many patients are finding that they appreciate the convenience of accessing health services without parking, time off of work, or child care struggles. Sometimes, both clinicians and patients are discovering that this new modality has inspired a better understanding of the patient's home environment and creates opportunities to improve care and treatment.

I don't think we can put this genie back in the bottle. Remote working and virtual care will become a new normal – for some practices – at least on a part-time basis. Consequently, I recommend that you take the time needed now to get the procedures and safeguards right so that we protect the privacy, confidentiality, and security of health information, allow our clinicians to work to their full scope of practice, and provide the appropriate care and treatment in a way that is convenient for all parties.

I'm here to help you.

Take advantage of this offer to access the templates that will help you implement remote working and virtual care solutions in your practice.

Yes, I Want the Policy, Procedure and PIA Templates!

Not sure if remote working is right for your healthcare practice?

Check out the The Practice Management Success Tip, Remote Worker Privacy and Security Checklist, which will help you:

  • Determine if remote working is appropriate for your employees.
  • Identify what clinic / business resources need to be provided to the employee remote worker.
  • What reasonable safeguards need to be implemented to protect the privacy, confidentiality, and security of personal (health) information.

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

What Should I Do If I Think I Have COVID-19?

Do You Know Where Your Policies and Procedures Are? 

Is Remote Working a Good Choice for Your Healthcare Practice?

Notice of Collection for Telemedicine and Virtual Health

 

healthcare, medical, pandemic, physician, PIA, rehab, remote working, risk assessment, telehealth, virtual care, virtual healthcare, workflow

Do You Need a PIA for Remote Working or Virtual Care?

Posted on March 31, 2020 by Meghan in Blog

If your healthcare practice is implementing remote working or virtual healthcare, you need to notify the OIPC.

Health information is sensitive information. Reasonable efforts must be made to ensure that identifying and sensitive information is protected from unauthorized access, loss, or damage during and outside work hours. What a custodian may consider is reasonable efforts during a pandemic may be different than reasonable efforts from normal circumstances.

In Alberta, section 64 of the Health Information Act (HIA) requires custodians to prepare a privacy impact assessment (PIA) and submit it to the Office of the Information and Privacy Commissioner (OIPC) of Alberta prior to implementing a new administrative or technical process in a healthcare practice.

The OIPC in Alberta requests in its notice of March 19, 2020, that custodians notify the Commissioner about new administrative practices or information systems.

How Do I Notify The OIPC?

Step 1: If you have implemented, or plan to soon implement remote working, virtual care or other administrative or technical changes in response to the COVID-19 pandemic, send an email to the OIPC to inform them, in general terms, about your plans.

Step 2: As soon as possible, submit a project specific Privacy Impact Assessment to the OIPC.

To help you get started with Step 1, I have prepared a sample email that you can use.

Yes, send me the Sample Email to the OIPC!

Not sure if remote working is right for your healthcare practice?

Check out the The Practice Management Success Tip, Remote Worker Privacy and Security Checklist, will help you:

  • Determine if remote working is appropriate for your employees.
  • Identify what clinic / business resources need to be provided to the employee remote worker.
  • What reasonable safeguards need to be implemented to protect the privacy, confidentiality, and security of personal (health) information.

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

What Should I Do If I Think I Have COVID-19?

Do You Know Where Your Policies and Procedures Are? 

Is Remote Working a Good Choice for Your Healthcare Practice?

Notice of Collection for Telemedicine and Virtual Health

 

healthcare, medical, OIPC, pandemic, physician, PIA, remote working, risk assessment, virtual healthcare, work from home

Notice of Collection for Telemedicine and Virtual Health

Posted on March 26, 2020 by Meghan in Blog

[s3vpp id=c5f551d2614464a26253c46391c66109]

If you are using telemedicine or virtual health, you still need to provide a notice of collection of personal information.

The Advice to the Profession series from the College of Physicians and Surgeons of Alberta (CPSA) offers guidance documents to assist you in assessing the security risks and safeguards of electronic communications, such as telemedicine or virtual health.



From the College of Physicians and Surgeons of Alberta (CPSA):

COVID-19: Virtual Care

Electronic Communications & Security of Mobile Devices

Standard of Practice Telemedicine

Along with helping you the assess the appropriate safeguards you need to take to protect the privacy and confidentiality of personal health information, the CPSA Advice also advises healthcare practices to ensure they have the consent of patients before providing virtual healthcare. 

The collection notice is important to ensure the privacy rights of patients. But the notice is rather wordy to say before every virtual health encounter with your patients.

How can I ensure consent?

I've made it easier for you. I've recorded an audio file that you can download and save to your cell phone. Play the audio notice of collection at the start of each telephone or video call to properly inform the patient before the consult.

When you download the Practice Management Success Tip, Remote Working Privacy and Security Checklist, you will receive an email with a link to the audio file.

I hope that the checklist and the audio file will help you to make good business decisions and, if this is the right fit for you, help you to provide virtual health to your patients.

You can use the collection notice below to prompt the clinician to ask the individual for their name and date of birth at the outset of the call.

If you are using a video conference call, you could also consider having the patient display their photo ID to the camera.

Remember – don't use the record feature for the video conference call!

If you are using a video conferencing, patient portal or other third party platform, direct the patient to review the privacy policy of the provider, too.

The clinician then documents in the patient's chart that the patient's identity was verified by having the patient verbally provides their name, date of birth (and/or photo ID).

Script – Notice Of Collection

Unregulated virtual care technologies increase the risk that your personal health information may be intercepted or disclosed to third parties. These tools are being used as an extraordinary measure during the COVID-19 pandemic when regulated technology is not readily available, and the necessity to keep people from congregating or attending health facilities where they may be exposed to the COVID-19 virus is thought to outweigh the risk of personal privacy breaches on both a personal and population health basis.

By providing your information, during this teleconference or video conference call, you agree to let us collect, use, or disclose your personal health information through video or audio communications in order to provide you with care.

You will be asked to state your full name and date of birth will confirm your identity and ensure accurate record keeping.

Continuing with this telephone or video conference call indicates your consent to the collection of your personal information as authorized under the Health Information Act of Alberta.

 

Download The Remote Worker Privacy and Security Checklist

And get the Collection Notice audio for FREE.

 

The Practice Management Success Tip, Remote Worker Privacy and Security Checklist, will help you

  • Determine if remote working is appropriate for your employees.
  • Identify what clinic / business resources need to be provided to the employee remote worker.
  • What reasonable safeguards need to be implemented to protect the privacy, confidentiality, and security of personal (health) information.

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

What Should I Do If I Think I Have COVID-19?

Do You Know Where Your Policies and Procedures Are? 

Remote Working and Virtual Care Policies Procedures PIA Templates

healthcare, medical, notice of collection, pandemic, physician, remote working, risk assessment, work from home

Is Remote Working A Good Choice For Your Healthcare Practice?

Posted on March 23, 2020 by Jean Eaton in Blog

In our healthcare practices, we have policies and procedures to identify the reasonable safeguards we need to take to protect personal and health information entrusted to us. But when employees complete their roles off-site, due to personal circumstances or to ensure business continuity in unusual situations, we need to take action to ensure reasonable safeguards are in place to protect the privacy, confidentiality, and security of personal health information.

Remote Work May Be Available To Employees

Working from home is at the sole discretion of the custodian and owner of the clinic. Examples when this may be applicable include:

  • Business continuity – due to technical, physical, or other unusual circumstances.
  • Work levelling – volumes of work are distributed to another location usually for a short duration.
  • Illness / personal circumstances – where an employee is unable to report to work at the clinic but can continue to complete their roles off-site.

Some administrative tasks in a healthcare office – for example, incoming phone calls, appointment booking, appointment reminders, billing, and/or transcription – could be done from a home office environment. Sometimes even follow-up and consultations from the healthcare provider can be done remotely, too.

The healthcare provider or custodian is ultimately responsible to ensure the secure collection, use, and disclosure of health information.

For the purposes of this article, the ‘custodian’ may be the healthcare provider defined by the HIA, or the lead healthcare provider or owner in your practice.

p

In Alberta, a ‘custodian’ is defined under the Health Information Act as a health services provider who is designated in the regulations as a custodian, or who is within a class of health services providers that is designated in the regulations. HIA section 1(1)(f)(ix)

This includes:

  • Physicians
  • Pharmacists
  • Optometrists
  • Opticians
  • Chiropractors
  • Midwives
  • Podiatrists
  • Denturists
  • Dentists and dental hygienists
  • Registered nurses

Is Remote Working Good for Your Business?

As the custodian, you must decide if remote working is a good option for your business. When you decide that this is a viable option for your business, you then need to: 

  • Determine if remote working is appropriate for your employees.
  • Identify what clinic / business resources need to be provided to the employee remote worker.
  • What reasonable safeguards need to be implemented to protect the privacy, confidentiality, and security of personal (health) information.

Likely you will continue to have both on-site and remote workers. The custodian will decide what ratio is appropriate to provide patient care and business goals on both a short term and a long term basis.

Regulations, Standards, Policy

Each healthcare business has multiple sources of sensitive information, including employee, financial, business, and health information. Custodians and owners have a responsibility under a variety of regulations, professional practice standards, and internal policies to protect the privacy, confidentiality, and security of personally identifying information (PII).

Health information is sensitive information. Reasonable efforts must be made to ensure that identifying and sensitive information is protected from unauthorized access, loss, or damage during and outside work hours. What a custodian may consider is reasonable efforts during a pandemic may be different than reasonable efforts from normal circumstances.

During a public health crisis, privacy laws still apply, but they are not a barrier to appropriate information sharing.

Privacy Impact Assessments

In Alberta, section 64 of the Health Information Act (HIA) requires custodians to prepare a privacy impact assessment (PIA) and submit it to the Office of the Information and Privacy Commissioner (OIPC) of Alberta prior to implementing a new administrative or technical process in a healthcare practice.

The OIPC in Alberta requests in its notice of March 19, 2020, that custodians notify the Commissioner about new administrative practices or information systems. Your submission to the OIPC should include a description of what the new program is meant to achieve and any safeguards for health information.

Standards

Your professional college may also have standards of practice and recommendations that impact your decision to implement remote working or virtual healthcare.

The Advice to the Profession series from the College of Physicians and Surgeons of Alberta (CPSA) offers guidance documents to assist you in assessing the security risks and safeguards of electronic communications, including laptops and mobile devices, to further assist you to determine appropriate safeguards.



From the College of Physicians and Surgeons of Alberta (CPSA):

COVID-19: Virtual Care

Electronic Communications & Security of Mobile Devices

Standard of Practice Telemedicine

Review Your Current Policies and Procedures

Don’t cut corners. Instead, build privacy into your decision. Create, review, and update your policies and procedures.

Use the Remote Worker Privacy and Security Checklist to help you document your decisions and expectations with eligible employees.

You may also need to consult your information technology support providers to ensure up-to-date computer and network security has been implemented.

Virtual Healthcare

Healthcare providers may consider providing virtual healthcare services to their patients. The healthcare provider may be at their usual clinic or office location and use all of their existing systems and tools to access patient records in paper or electronic medical records (EMR).

Alternatively, the healthcare provider may be working remotely, too. The same privacy, confidentiality, and security safeguards applies to their home working location.

If you are choosing to implement a new virtual healthcare solution specifically to respond to the current public health emergency, the Office of the Information and Privacy Commissioner (OIPC) of Alberta advises that

“ . . .custodian[s] need to determine what are reasonable safeguards in the circumstances and be prepared to justify their decision. Health custodians should also ensure individuals are aware of any heightened risks to privacy as a result of a new administrative practice or information system being implemented.”

Remember, you can leverage existing technology – like the telephone – to keep in touch with your patients. This likely would not be considered a new administrative or technological practice that would require a PIA. This might also be a great time to fully implement your current patient portal functionality from your EMR vendor, too.

You may decide, based on your evaluation of the potential risks and what reasonable safeguards that you can quickly implement in response to the new public health emergency, that authorizing remote working or a new videoconferencing solution is not the best choice at this time.

Select the process that ensures continuity of care to the patient, including appropriate documentation in the patient record and the protection of the PII.

​Reference

Notice: PIAs During Public Health Emergency, March 19, 2020, Office of the Information and Privacy Commissioner (OIPC) of Alberta

The Practice Management Success Tip, Remote Worker Privacy and Security Checklist, will help you

  • Determine if remote working is appropriate for your employees.
  • Identify what clinic / business resources need to be provided to the employee remote worker.
  • What reasonable safeguards need to be implemented to protect the privacy, confidentiality, and security of personal (health) information.
Show Me The Remote Worker Privacy and Security Checklist

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

What Should I Do If I Think I Have COVID-19?

Do You Know Where Your Policies and Procedures Are? 

 

assessment, healthcare, medical, pandemic, physician, remote working, risk assessment, template, work from home

Recent Privacy Breach Convictions Under Alberta’s Health Information Act

Posted on October 15, 2019 by Jean Eaton in Blog

In August 2018, Alberta proclaimed amendments to the Health Information Act (HIA) that requires healthcare providers (custodians) to report a privacy breach with a risk of significant harm to the Office of the Information and Privacy Commissioner (OIPC), the Ministry of Health of Alberta, and of course, to patients affected by the privacy breach.

This requirement that custodians must report a privacy breach to the to the OIPC has resulted in a huge increase in the number of reported privacy breaches in healthcare.

Custodians includes healthcare providers like physicians, pharmacists, chiropractors, dentists, optometrists, registered nurses, health authorities, and more

This is not unexpected. We in healthcare know that there are many privacy breaches that happen everyday. Many of these breaches are honest mistakes. However, an increasing number are intentional, malicious actions intended to harm others.

The benefit of having these breaches reported to a regulator is to improve compliance to reasonable safeguards to protect the health information of Alberta residents. And, as a result, more custodians and affiliates (people that work for a custodian) are being held accountable under the HIA legislation to ensure that they are meeting the reasonable safeguards.

In the first year of mandatory privacy breach notification, the OIPC has received over 1,000 reports. Previously, when privacy breach reporting was discretionary, the OIPC received an average of 130 voluntary reports of privacy breaches annually.

​

What Happens When A Privacy Breach Is Reported To The OIPC

When a privacy breach is reported to the OIPC, the OIPC will review the report and consider the custodian’s determination if a reasonable risk to the patient(s) was present. The OIPC will review the report and consider:

  • agree (or not) with the determination of risk of harm
  • was the patient notified appropriately
  • is there an offence under the HIA
  • is an investigation warranted

If an investigation is indicated, the OIPC will conduct the investigation and report their findings to the Crown prosecutors at Alberta Justice. The Crown will determine if it will continue to press charges under the HIA.

Under the recent amendments to the HIA a custodian or an affiliate or both could if found guilty of an offence is liable for a fine anywhere between $2,000 to $500,000 depending on the circumstances and the nature of the offense. Other sanctions may also be applied by the court.

It takes time to report a privacy breach, have it reviewed and investigated by the OIPC and the Crown, and have individuals charged and appear in court.

We are now starting to see the first cases charged after the August 2018 amendments coming to court and privacy breach convictions under the HIA.

Unauthorized Access By Employees

During a routine internal audit of health records in the Alberta Public Laboratories clinical lab at the Red Deer Regional Hospital identified unauthorized access by lab employees. These breaches were first identified by the hospital during a routine audit of their electronic record systems. The internal investigation between December 2018 and May 2019 identified 2,158 patient records were accessed. Alberta Health Services reported that 30 staff were involved in these breaches and three staff are no longer employed by the lab.

Do you do routine audits? Here’s how.

There have been three recent decisions in from the Alberta provincial courts as a result of mandatory privacy breach reporting legislation.

Suspicious Activity Leads to Investigation And Charges

In June 2018, Alberta Health Services (AHS) received reports of suspicious activity by a billing clerk in Red Deer. An internal audit and investigation indicated that the clerk accessed the health records of 52 Albertans without authorization. AHS reported the breaches to the OIPC in June 2018.

The OIPC opened an offence investigation and referred its findings to the Specialized Prosecutions Branch of Alberta Justice. Charges were laid in July 2019. The former AHS billing clerk received a $5,000 fine on August 2019 and was ordered not to access health information for one year.

Snooping By A Clinic Employee

In another case, an Edmonton medical clinic employee was fined after pleading guilty to health data breach. The employee knowingly accessed health information of two people and made suspicious statements to the two individuals about their personal medical details. The individuals then requested access to the audit logs and the provincial electronic health record system, Alberta Netcare.

The individuals reported a complaint to the OIPC at which point the OIPC conducted an investigation.

The employee was charged in March 2019 and plead guilty in provincial court on September 26, 2019. She was fined $3,500 and ordered to pay a victim surcharge of $525.

Are Your Employees Privacy Aware? Start now!

Unauthorized Access By A Billing Clerk

On September 30, 2019 in Red Deer Provincial Court a billing clerk with Alberta Health Services was fined $8,000 for illegally accessing health records. The clerk opened health records of 81 people over 4,7471 occasions without authorization from his employer and custodian. The court also added the following conditions

  • 1-year probation
  • order to attend treatment and counselling and
  • not be employed in a position that allows him access to health information for 1 year

We will continue to see investigations under the HIA at appearing in our courts. The OIPC is currently investigating over 20 incidents and has flagged 70 more as potential offences.

Each of these incidents involved employees making poor choices about accessing patient health information. Reasonable prevention steps include privacy awareness training for every employee, healthcare provider, and contractor. In addition, every healthcare practice should be, monitoring access to records with routine audits and applying sanctions.

We obviously don’t speak often enough about what is acceptable, appropriate, and authorized access to patient’s health information.

Preventing a privacy breach is always less expensive than managing a privacy breach.

A privacy breach management plan will help you to prevent a breach and, when a breach happens, identify a privacy breach early to limit the risk of harm, size, and the cost of the breach.

 

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE 15 Minute Training Video "Can You Spot the Privacy Breach?"

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Not sure what is considered a privacy breach? See When is a Privacy Breach a Privacy Breach?

 

References

CBC News. Investigation finds improper access to patient records at Red Deer hospital. Posted: Oct 04, 2019 12:48 PM MT | Last Updated: October 4 https://www.cbc.ca/news/canada/edmonton/red-deer-patient-records-breach-1.5309419

CBC News. Edmonton medical clinic employee fined after admitting to health data breaches. Posted: Oct 03, 2019 10:56 AM MT | Last Updated: October 3 https://www.cbc.ca/news/canada/edmonton/health-information-alberta-access-1.5307453

CBC News. AHS billing clerk fined $8,000 for illegally accessing health records Posted: Oct 09, 2019 10:47 AM MT | Last Updated: October 9. https://www.cbc.ca/news/canada/edmonton/ahs-billing-clerk-fined-8-000-for-illegally-accessing-health-records-1.5314783

CBC News. Jennifer Lee. Reports of health-care privacy breaches spike in Alberta. Posted: Oct 11, 2019 5:00 AM. https://www.cbc.ca/news/canada/calgary/health-care-privacy-breaches-spike-alberta-1.5316230

clinic, custodian, health, Health Information Act, healthcare, HIA, mandatory privacy breach notification, medical, physicians, privcy breach, reasonable safeguards
12345

What is the elephant in the room?

The Elephant in the Room Find out here...

 

Privacy Policy

 

I have used Corridor's Privacy Awareness in Healthcare: Essentials online training program. The course has helped satisfy the training requirements of the Health Information Act. Staff go through the course at their own pace while we monitor to ensure completion.

- Luke Brimmage, Executive Director, Aspen Primary Care Network

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2023 Information Managers Ltd.

1 shares
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}