Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

Is Remote Working A Good Choice For Your Healthcare Practice?

Posted on March 23, 2020 by Jean Eaton in Blog

In our healthcare practices, we have policies and procedures to identify the reasonable safeguards we need to take to protect personal and health information entrusted to us. But when employees complete their roles off-site, due to personal circumstances or to ensure business continuity in unusual situations, we need to take action to ensure reasonable safeguards are in place to protect the privacy, confidentiality, and security of personal health information.

Remote Work May Be Available To Employees

Working from home is at the sole discretion of the custodian and owner of the clinic. Examples when this may be applicable include:

  • Business continuity – due to technical, physical, or other unusual circumstances.
  • Work levelling – volumes of work are distributed to another location usually for a short duration.
  • Illness / personal circumstances – where an employee is unable to report to work at the clinic but can continue to complete their roles off-site.

Some administrative tasks in a healthcare office – for example, incoming phone calls, appointment booking, appointment reminders, billing, and/or transcription – could be done from a home office environment. Sometimes even follow-up and consultations from the healthcare provider can be done remotely, too.

The healthcare provider or custodian is ultimately responsible to ensure the secure collection, use, and disclosure of health information.

For the purposes of this article, the ‘custodian’ may be the healthcare provider defined by the HIA, or the lead healthcare provider or owner in your practice.

p

In Alberta, a ‘custodian’ is defined under the Health Information Act as a health services provider who is designated in the regulations as a custodian, or who is within a class of health services providers that is designated in the regulations. HIA section 1(1)(f)(ix)

This includes:

  • Physicians
  • Pharmacists
  • Optometrists
  • Opticians
  • Chiropractors
  • Midwives
  • Podiatrists
  • Denturists
  • Dentists and dental hygienists
  • Registered nurses

Is Remote Working Good for Your Business?

As the custodian, you must decide if remote working is a good option for your business. When you decide that this is a viable option for your business, you then need to: 

  • Determine if remote working is appropriate for your employees.
  • Identify what clinic / business resources need to be provided to the employee remote worker.
  • What reasonable safeguards need to be implemented to protect the privacy, confidentiality, and security of personal (health) information.

Likely you will continue to have both on-site and remote workers. The custodian will decide what ratio is appropriate to provide patient care and business goals on both a short term and a long term basis.

Regulations, Standards, Policy

Each healthcare business has multiple sources of sensitive information, including employee, financial, business, and health information. Custodians and owners have a responsibility under a variety of regulations, professional practice standards, and internal policies to protect the privacy, confidentiality, and security of personally identifying information (PII).

Health information is sensitive information. Reasonable efforts must be made to ensure that identifying and sensitive information is protected from unauthorized access, loss, or damage during and outside work hours. What a custodian may consider is reasonable efforts during a pandemic may be different than reasonable efforts from normal circumstances.

During a public health crisis, privacy laws still apply, but they are not a barrier to appropriate information sharing.

Privacy Impact Assessments

In Alberta, section 64 of the Health Information Act (HIA) requires custodians to prepare a privacy impact assessment (PIA) and submit it to the Office of the Information and Privacy Commissioner (OIPC) of Alberta prior to implementing a new administrative or technical process in a healthcare practice.

The OIPC in Alberta requests in its notice of March 19, 2020, that custodians notify the Commissioner about new administrative practices or information systems. Your submission to the OIPC should include a description of what the new program is meant to achieve and any safeguards for health information.

Standards

Your professional college may also have standards of practice and recommendations that impact your decision to implement remote working or virtual healthcare.

The Advice to the Profession series from the College of Physicians and Surgeons of Alberta (CPSA) offers guidance documents to assist you in assessing the security risks and safeguards of electronic communications, including laptops and mobile devices, to further assist you to determine appropriate safeguards.



From the College of Physicians and Surgeons of Alberta (CPSA):

COVID-19: Virtual Care

Electronic Communications & Security of Mobile Devices

Standard of Practice Telemedicine

Review Your Current Policies and Procedures

Don’t cut corners. Instead, build privacy into your decision. Create, review, and update your policies and procedures.

Use the Remote Worker Privacy and Security Checklist to help you document your decisions and expectations with eligible employees.

You may also need to consult your information technology support providers to ensure up-to-date computer and network security has been implemented.

Virtual Healthcare

Healthcare providers may consider providing virtual healthcare services to their patients. The healthcare provider may be at their usual clinic or office location and use all of their existing systems and tools to access patient records in paper or electronic medical records (EMR).

Alternatively, the healthcare provider may be working remotely, too. The same privacy, confidentiality, and security safeguards applies to their home working location.

If you are choosing to implement a new virtual healthcare solution specifically to respond to the current public health emergency, the Office of the Information and Privacy Commissioner (OIPC) of Alberta advises that

“ . . .custodian[s] need to determine what are reasonable safeguards in the circumstances and be prepared to justify their decision. Health custodians should also ensure individuals are aware of any heightened risks to privacy as a result of a new administrative practice or information system being implemented.”

Remember, you can leverage existing technology – like the telephone – to keep in touch with your patients. This likely would not be considered a new administrative or technological practice that would require a PIA. This might also be a great time to fully implement your current patient portal functionality from your EMR vendor, too.

You may decide, based on your evaluation of the potential risks and what reasonable safeguards that you can quickly implement in response to the new public health emergency, that authorizing remote working or a new videoconferencing solution is not the best choice at this time.

Select the process that ensures continuity of care to the patient, including appropriate documentation in the patient record and the protection of the PII.

​Reference

Notice: PIAs During Public Health Emergency, March 19, 2020, Office of the Information and Privacy Commissioner (OIPC) of Alberta

The Practice Management Success Tip, Remote Worker Privacy and Security Checklist, will help you

  • Determine if remote working is appropriate for your employees.
  • Identify what clinic / business resources need to be provided to the employee remote worker.
  • What reasonable safeguards need to be implemented to protect the privacy, confidentiality, and security of personal (health) information.
Show Me The Remote Worker Privacy and Security Checklist

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

What Should I Do If I Think I Have COVID-19?

Do You Know Where Your Policies and Procedures Are? 

 

assessment, healthcare, medical, pandemic, physician, remote working, risk assessment, template, work from home

Recent Privacy Breach Convictions Under Alberta’s Health Information Act

Posted on October 15, 2019 by Jean Eaton in Blog

In August 2018, Alberta proclaimed amendments to the Health Information Act (HIA) that requires healthcare providers (custodians) to report a privacy breach with a risk of significant harm to the Office of the Information and Privacy Commissioner (OIPC), the Ministry of Health of Alberta, and of course, to patients affected by the privacy breach.

This requirement that custodians must report a privacy breach to the to the OIPC has resulted in a huge increase in the number of reported privacy breaches in healthcare.

Custodians includes healthcare providers like physicians, pharmacists, chiropractors, dentists, optometrists, registered nurses, health authorities, and more

This is not unexpected. We in healthcare know that there are many privacy breaches that happen everyday. Many of these breaches are honest mistakes. However, an increasing number are intentional, malicious actions intended to harm others.

The benefit of having these breaches reported to a regulator is to improve compliance to reasonable safeguards to protect the health information of Alberta residents. And, as a result, more custodians and affiliates (people that work for a custodian) are being held accountable under the HIA legislation to ensure that they are meeting the reasonable safeguards.

In the first year of mandatory privacy breach notification, the OIPC has received over 1,000 reports. Previously, when privacy breach reporting was discretionary, the OIPC received an average of 130 voluntary reports of privacy breaches annually.

​

What Happens When A Privacy Breach Is Reported To The OIPC

When a privacy breach is reported to the OIPC, the OIPC will review the report and consider the custodian’s determination if a reasonable risk to the patient(s) was present. The OIPC will review the report and consider:

  • agree (or not) with the determination of risk of harm
  • was the patient notified appropriately
  • is there an offence under the HIA
  • is an investigation warranted

If an investigation is indicated, the OIPC will conduct the investigation and report their findings to the Crown prosecutors at Alberta Justice. The Crown will determine if it will continue to press charges under the HIA.

Under the recent amendments to the HIA a custodian or an affiliate or both could if found guilty of an offence is liable for a fine anywhere between $2,000 to $500,000 depending on the circumstances and the nature of the offense. Other sanctions may also be applied by the court.

It takes time to report a privacy breach, have it reviewed and investigated by the OIPC and the Crown, and have individuals charged and appear in court.

We are now starting to see the first cases charged after the August 2018 amendments coming to court and privacy breach convictions under the HIA.

Unauthorized Access By Employees

During a routine internal audit of health records in the Alberta Public Laboratories clinical lab at the Red Deer Regional Hospital identified unauthorized access by lab employees. These breaches were first identified by the hospital during a routine audit of their electronic record systems. The internal investigation between December 2018 and May 2019 identified 2,158 patient records were accessed. Alberta Health Services reported that 30 staff were involved in these breaches and three staff are no longer employed by the lab.

Do you do routine audits? Here’s how.

There have been three recent decisions in from the Alberta provincial courts as a result of mandatory privacy breach reporting legislation.

Suspicious Activity Leads to Investigation And Charges

In June 2018, Alberta Health Services (AHS) received reports of suspicious activity by a billing clerk in Red Deer. An internal audit and investigation indicated that the clerk accessed the health records of 52 Albertans without authorization. AHS reported the breaches to the OIPC in June 2018.

The OIPC opened an offence investigation and referred its findings to the Specialized Prosecutions Branch of Alberta Justice. Charges were laid in July 2019. The former AHS billing clerk received a $5,000 fine on August 2019 and was ordered not to access health information for one year.

Snooping By A Clinic Employee

In another case, an Edmonton medical clinic employee was fined after pleading guilty to health data breach. The employee knowingly accessed health information of two people and made suspicious statements to the two individuals about their personal medical details. The individuals then requested access to the audit logs and the provincial electronic health record system, Alberta Netcare.

The individuals reported a complaint to the OIPC at which point the OIPC conducted an investigation.

The employee was charged in March 2019 and plead guilty in provincial court on September 26, 2019. She was fined $3,500 and ordered to pay a victim surcharge of $525.

Are Your Employees Privacy Aware? Start now!

Unauthorized Access By A Billing Clerk

On September 30, 2019 in Red Deer Provincial Court a billing clerk with Alberta Health Services was fined $8,000 for illegally accessing health records. The clerk opened health records of 81 people over 4,7471 occasions without authorization from his employer and custodian. The court also added the following conditions

  • 1-year probation
  • order to attend treatment and counselling and
  • not be employed in a position that allows him access to health information for 1 year

We will continue to see investigations under the HIA at appearing in our courts. The OIPC is currently investigating over 20 incidents and has flagged 70 more as potential offences.

Each of these incidents involved employees making poor choices about accessing patient health information. Reasonable prevention steps include privacy awareness training for every employee, healthcare provider, and contractor. In addition, every healthcare practice should be, monitoring access to records with routine audits and applying sanctions.

We obviously don’t speak often enough about what is acceptable, appropriate, and authorized access to patient’s health information.

Preventing a privacy breach is always less expensive than managing a privacy breach.

A privacy breach management plan will help you to prevent a breach and, when a breach happens, identify a privacy breach early to limit the risk of harm, size, and the cost of the breach.

 

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE 15 Minute Training Video "Can You Spot the Privacy Breach?"

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Not sure what is considered a privacy breach? See When is a Privacy Breach a Privacy Breach?

 

References

CBC News. Investigation finds improper access to patient records at Red Deer hospital. Posted: Oct 04, 2019 12:48 PM MT | Last Updated: October 4 https://www.cbc.ca/news/canada/edmonton/red-deer-patient-records-breach-1.5309419

CBC News. Edmonton medical clinic employee fined after admitting to health data breaches. Posted: Oct 03, 2019 10:56 AM MT | Last Updated: October 3 https://www.cbc.ca/news/canada/edmonton/health-information-alberta-access-1.5307453

CBC News. AHS billing clerk fined $8,000 for illegally accessing health records Posted: Oct 09, 2019 10:47 AM MT | Last Updated: October 9. https://www.cbc.ca/news/canada/edmonton/ahs-billing-clerk-fined-8-000-for-illegally-accessing-health-records-1.5314783

CBC News. Jennifer Lee. Reports of health-care privacy breaches spike in Alberta. Posted: Oct 11, 2019 5:00 AM. https://www.cbc.ca/news/canada/calgary/health-care-privacy-breaches-spike-alberta-1.5316230

clinic, custodian, health, Health Information Act, healthcare, HIA, mandatory privacy breach notification, medical, physicians, privcy breach, reasonable safeguards

Why Do You Need Health Information Policies and Procedures?

Posted on September 24, 2019 by Jean Eaton in Blog

Sharing is caring!

1shares
  • Share
  • Tweet
  • LinkedIn
  • Email

Maybe you’ve heard you need written policies and procedures for your health information, but you’re left asking yourself why it’s so important?

The truth is, without written policies and procedures, you open a healthcare practice up to a whole host of problems, including major legal issues.

In fact, every business needs good practices that apply to your:

  • Information that you collect from patients/clients
  • Website
  • Email
  • Business practices including electronic (or paper) patient records, and computer network
  • Financial information
  • Billing, collection, and payment processing

Within the healthcare industry, there are additional legislation requirements that require specific written health information policies and procedures.

The Health Information Act (HIA) and the Personal Information Privacy Act (PIPA)

As we mentioned, when a custodian collects health information, you must follow the Health Information Act (HIA) in Alberta.

Like most other private businesses in Alberta, private healthcare practices must also comply with the Personal Information Privacy Act (PIPA).

The colleges of regulated health professionals (like the Alberta Dental Association and College (ADAC) and the College of Physicians and Surgeons of Alberta (CPSA), require dentists and physicians to meet the standards of practice which includes compliance to HIA and PIPA legislation.

In addition, the college has other standards of practice that you must meet, including policies and procedures for the collection, use, disclosure, and access of health information.

So, let’s explore further why written policies and procedures are so essential, as well as what can happen without them, and why healthcare practices may not think they need them in the first place.

Benefits of Policies and Procedures

One of the most critical benefits of having policies and procedures in place is that they’re good for business.

Here’s how:

  • They contribute to consistent, efficient workflow.
  • You can figure it out once, write the procedure, tweak it to make it better, and then repeat the same procedure again and again.
  • They help you make better business decisions, like buying supplies, choosing services, and selecting vendors.
  • They help support your accreditation efforts.
  • On-boarding employees the right way with no missed steps is much easier with policies and procedures in place.

If you’re looking for even more proof of the benefits of having written procedures, it can also help you avoid:

  • Internal disputes within your team and external disputes with your patients and clients
  • Re-work and re-training employees
  • Poor customer service
  • Poor reputation
  • Fines and penalties

Fines And Penalties For Not Having Written Policies And Procedures

You might be wondering why you would face fines and penalties for not having written policies and procedures in the first place.

The HIA requires the custodian – which includes the dentist or dental hygienist – to take reasonable safeguards to protect the privacy and confidentiality of patients’ health information.

Having written policies and procedures is a common, expected, and reasonable safeguard.

Let’s say you have a privacy breach in your practice or an error (like sending a fax to the wrong number or you are a victim of a phishing or ransomware attack).

You can learn more about what makes a privacy breach a privacy breach here.

If you can’t demonstrate that you had the appropriate reasonable safeguards, like written policies and procedures in place, you are guilty of an offence under the law.

It’s illegal not to have policies and procedures when you collect health information.

If you are guilty of this offence, you are liable for a fine of a minimum of $2,000 and not more than $500,000. (HIA section 107(7)).

3 Policies and Procedures Myths

One reason some healthcare practices fail to have written policies and procedures is because they believe they don’t need them.

Often, this is because they’ve fallen prey to the common myths about policies and procedures.

There are 3 of the common myths that stop healthcare providers and their clinic managers from creating written policies and procedures:

  1. It’s Too Hard

While it does take some skill to write clear, easy to read, and easy to understand policies and procedures, it doesn’t have to be heard. In fact, you can even purchase templates to make this easier. 

  1. It Takes Too Much Time

Writing policies and procedures does take some time.

But investing the time to create policies and procedures pays off by preventing suffering from inconsistent or broken procedures, using or disclosing health information in error, and having to pay fines, penalties, public relations nightmares, or spending the time required to run a privacy or security investigation.

  1. It’s A Waste Of Time

Here are a few good reasons that prove writing policies and procedures is not a waste of time:

  • Practical privacy policies and procedures will create a more efficient practice and help you make better business decisions.
  • The policies and procedures become the foundation of your privacy impact assessment.
  • Policies and procedures are pre-requisites for other initiatives, like access to Netcare or other community integration initiatives, and privacy impact assessment (PIA). Click here to learn more about PIAs.
  • You must have them as part of your legislative compliance.
  • It’s the law. Not having policies and procedures regarding the collection, use, disclosure, and access of health information is illegal.

As you can see, written policies and procedures help ensure consistent office procedures and good communication between team members in your healthcare practice.

In addition to those good reasons, you must have good written policies and procedures about how you collect, use, disclose, and provide access to health information to avoid legal problems, fees, penalties, and other problems.

If you need templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership. These tips, tools, templates, and training will help you save time and money to develop and maintain policies and procedures in your healthcare practice.

Get the Reliability And Power of Policy and Procedure Templates Without Spending Hours (or Days) Creating Them!

Your healthcare practice needs written policies and procedures to assist you to correctly, efficiently, and confidently collect, use, access, and disclosure of health information so that you can meet your accreditation, privacy impact assessment, and regulatory compliance requirements.

Show Me Policy And Procedure Templates!

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies and Procedures Are? 

Why Do You Need Health Information Policies and Procedures?

Healthcare Policies And Procedures: Essential in EVERY Practice

When Do You Need a PIA Amendment?

What is a PIA?

Alberta, clinic, custodian, health, Health Information Act, healthcare, HIA, medical, physicians, PIPA, Policies and procedures, privacy, Privacy Impact Assessment, reasonable safeguards

Do You Use Employee Privacy and Security Policy and Procedure Checklist Templates?

Posted on September 12, 2019 by Jean Eaton in Blog

Why Do You Need Employee Onboarding and Exiting Checklists?

There is much excitement when we welcome a new hire to our team and many administrative tasks need to take place to get this individual up and running.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed to protect patient privacy as required by our professional colleges and privacy legislation. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

To ensure that onboarding a new employee is a smooth transition, it is imperative to follow a practical checklist procedure to make sure no important steps are missed. There are also many other managerial benefits to adopting this high-quality process

  • Better job performance and satisfaction
  • Greater commitment to protecting privacy in the organization
  • Reduced stress and better staff retention

Employee Privacy and Security Checklist

Policies and procedures is a reasonable safeguard to protect the personal and health information entrusted to us. But polices and good intentions alone is not enough; we also need to take action to ensure our policies are understood and being followed by all our employees.

Training new and existing staff on privacy and security best practices is instrumental in making your healthcare practice a success and maintaining its fine reputation. Following a systematic approach to welcoming a new employee, transitioning an existing employee into a new position, or offboarding an employee who is exiting will guarantee that valuable privacy and security training and accesses are completed.

Read this Privacy Breach Nugget that explains what can happen if you don’t have these good practices in place. Do You Know Where Your Policies And Procedures Are? 

New Employee Orientation / Onboarding

New employees are a welcome addition to any team and there is a vast amount of training that needs to take place from general procedures on how to handle phone calls to signing confidentiality oaths to becoming familiar with all policies and procedures, in addition to learning the everyday job duties for their own position.

Since privacy is good for business, we do not want to miss any important opportunities to train our new staff on privacy and security best practices. Using the Employee Privacy and Security Checklist will help facilitate training discussions and document the authorized accesses of each employee.

Existing Employees / Annual Review

The checklist will also act as a tool for each employee at their performance review. Provide positive feedback and observations of an employee’s successes in protecting personal information. Discuss opportunities for improvement, too. This is also a good time to review an employee’s current authorized role based accesses and determine if any changes to match the employee’s current job duties is needed.

Ensure that the employee still has ‘tokens’ that they were given at the time of their hire, like identity badge, keys to the clinic or Alberta Netcare RSA fob.

Privacy and security best practice dictate that confidentiality oaths should be signed on an annual basis and annual privacy awareness and security refresher training should also be provided to all employees. In the event of a privacy incident or breach, it is imperative that a healthcare practice can prove by their documentation that regular privacy and security training is provided to their staff.

Transferring / Exiting Employees

When an employee transitions into a new role or is terminated, review, and update the privacy and security checklist to ensure that access and permissions are appropriately modified or terminated.

Custodian Responsibility

Custodians have an obligation to ensure reasonable safeguards to protect the privacy and security of health information. This includes having appropriate policies and procedures in place, as well as demonstrating and documenting that you have implemented your plans. This is a requirement of professional college standards of practice and privacy legislation like the Health Information Act (HIA).

See the article Do You Know Where Your Policies And Procedures Are? to learn what can happen to you if you don’t have your employee training process well documented

The Employee Privacy and Security Checklist will make it easy for you to ensure your new hires, existing employees, and transferring or exiting employees are privacy and security compliant.

 

Download the FREE Report - Employee Privacy and Security Policy and Procedure Checklist Template

If you are a member of Practice Management Success, login and access the webinar replay, and the policy, procedure, and checklist template.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security expecially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

 

 

clinic, health care, healthcare, medical, policy, Practice Management Success, privacy, procedure, template

Do You Know Where Your Policies And Procedures Are?

Posted on September 2, 2019 by Jean Eaton in Blog

This is a cautionary tale.

And it could save you a lot of embarrassment – even legal issues.

The way a healthcare provider collects, uses and discloses personal health information (PHI) is critical to an efficient healthcare practice. 

It’s also required by legislation and professional college regulations and standards.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. #PoliciesClick to Tweet

Don't let this happen to you!

Everyone in a healthcare practice — including front office staff, wellness practitioners and physicians and other custodians — must be aware of and follow these policies and procedures.

These policies and procedures also become the foundation of your privacy impact assessment (PIA).

That’s why, in this Privacy Breach Nugget, we’ll review a privacy breach investigation report from Alberta's Office of the Information and Privacy Commissioner (OIPC). Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

This report started with an employee suspected of accessing health information for an unauthorized purpose. 

It started with at the clinic with a conflict between the employees and the employer.

An employee (Employee A) was on leave from her position at the clinic. Her access to the electronic medical record (EMR) was suspended during her leave.

Employee A wanted to access patient information to support her dispute with management. Over two months, Employee A used Employee B’s credentials to access patient records.

This action is in contravention of the Health Information Act (HIA) sections 27 and 28.

This is where this case becomes even more convoluted and, in fact, a better case study of what not to do.

Employee Dispute

Understanding the Health Information Act

The Health Information Act (HIA) requires the custodian (the physician, in this case) to take reasonable steps to maintain administrative, technical, and physical safeguards to protect patient privacy as required by sections 60 and 63 of the HIA, and section 8 of the Health Information Regulation.

In November 2013, the clinic submitted a privacy impact assessment (PIA) to the OIPC prior to its implementation of an electronic medical record (EMR).

The PIA included written policies and procedures.

The letter to the OIPC accompanying the PIA was signed by two physicians, as well as Employee A who was the privacy officer at that time.

The physician named in the investigative report is not the current custodian at the clinic. The physician was hired in 2015 and therefore not a member of the clinic in 2013 and not involved in the initial PIA submission.

During the investigation, both employees indicated that the policies and procedures to protect patient privacy were in a binder in the clinic, but it was never used or shared with the staff.

Oaths of confidentiality may have been previously signed by the employees, but the documents could not be produced during the investigation.

Section 8 (6) of the Regulation states the ‘custodian must ensure its affiliates are aware of and adhere to all of the custodians administrative, technical, and physical safeguards in respect of health information.’

It’s common practice for clinics to require employees to sign confidentiality agreements and ensure that they receive patient privacy awareness training with regular updates.

But in this investigation, the employees said they never received privacy awareness training.

Policy and Procedure Manual

Access To Patient Information

The employees also stated it was common practice at this clinic for individuals to not log off of their EMR account on the computers at the reception desks. It was common practice for other employees to access an open session to quickly perform a task in the EMR.

The investigator concluded that the physician was in contravention of the HIA section 63(1) which requires custodians to establish or adopt policies and procedures that would facilitate the implementation of the Act and regulations.

These specific findings were made:

  • The custodian failed to ensure the clinic employees were made aware of and adhered to the safeguards put in place to protect health information in contradiction contravention of section 8(6) of the regulation.
  • The custodian was in contravention of section 8(6) of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to all of the custodian’s administrative, technical, and physical safeguards with respect to health information. It’s important to note any collection use or disclosure of health information by an affiliate of a custodian is considered to be the collection, use, and disclosure by the custodian.
  • The custodian failed to ensure the employee and the other clinic staff adhered to technical safeguards as required by section 60 of the HIA and section 8(6) of the regulations.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Get Your Privacy Documents In Order

To protect yourself and your practice from patient privacy breaches (and massive fines, see the conclusion to this article), follow these steps. 

  1. Find your policies and procedures and review them with all staff and custodians. Make sure you document that this has been done.
  2. Review and update your privacy awareness training and ensure all staff, including custodians, have completed this recently. Make sure you have this documented, including certificates of attendance if available.
  3. Oath of confidentiality documents should be signed by all of all clinic staff and custodians and maintained in a secure location.
  4. Review your privacy impact assessment and ensure all of your current custodians have read this and understand it. Visit this post for more information to help you determine if you need a PIA amendment.

Monitor

This incident occurred in 2016. The OIPC office did not recommend any additional sanctions against the clinic, physicians, or employees.

To get templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership

New Amendments To The HIA

This case might have turned out differently today.

New amendments, as of 2018, provide a provision for fines under the HIA ranging from $2,000 to $200,000.

The public — and our patients — expect and trust us to make sure that their personal health information is kept secure and confidential.

It’s our responsibility to make sure we have these administrative, technical, and physical safeguards in place and are maintained in a consistent fashion.

When you've done the hard work to implement your patient privacy policies and procedures and your privacy impact assessment, make sure you continue your journey and keep these documents up-to-date and current. To help you, sign up for the Practice Management Success Membership.

There are many patient privacy breaches in the news each day, and you never know when it could happen to you.

The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain. If you need to prepare your privacy breach management plan, start your on-line training 4-Step Response Plan right away!

If you need templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership. These tips, tools, templates, and training will help you save time and money to develop and maintain policies and procedures in your healthcare practice.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE Training Video "Can You Spot the Privacy Breach?"

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies And Procedures Are?

Why Do You Need Health Information Policies and Procedures?

Healthcare Policies And Procedures: Essential in EVERY Practice

Safeguards: The What, Why, and How

When Do You Need a PIA Amendment?

When is a Privacy Breach a Privacy Breach?

References and Resources

Alberta Office of the Information and Privacy Commissioner. Investigation Report H2019-IR-01 Investigation into alleged unauthorized accesses and disclosures of health information at Consort and District Medical Society Clinic. May 21, 2019. https://www.oipc.ab.ca/media/996888/H2019-IR-01.pdf

#PrivacyBreachNugget, Alberta, clinic, custodian, health, Health Information Act, healthcare, HIA, medical, Patient privacy, physicians, Policies and procedures, Prevent privacy breaches, privacy, privacy breach, Privacy Impact Assessment, reasonable safeguards, templates

Privacy Principles Applies After Death

Posted on August 5, 2019 by Jean Eaton in Blog

Are your staff looking at medical records when they shouldn’t be?

Many people have the mistaken impression they can look at a patient's medical records as long as they don’t tell anyone else.

You can’t.

We see over and over again in ‘snooping’ cases where seasoned and new healthcare providers and support team members don’t realize that looking at patient’s health information without a need to know that information to provide a health service right away is wrong.

Kate Dewhirst summarized this as

  • Privacy = don’t look
  • Confidentiality = don’t tell

We still need privacy awareness training – even those experienced healthcare providers who push back and say that they have been in the business for years still often have more to learn.

Yes, we still need privacy awareness trainingClick to Tweet

In this post I am sharing an example of the Ontario’s Information Privacy Commissioner (IPC) complaint investigation from the family of a deceased individual. Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

In 2014, a physician acting in his role as a coroner, accessed the deceased’s health record. Shortly thereafter, the family alleged that the physician, who was also a family member of the deceased, continued to access the deceased’s personal health information (PHI) contrary to Ontario’s Personal Health Information Protection Act (PHIPA).

The family submitted a complaint to the hospital. Initially, the hospital's response did not satisfy the family. The family filed a complaint to the Information and Privacy Commissioner (IPC) of Ontario.

The IPC started a complaint investigation.

Privacy Breach Investigation

Privacy Complaint Investigation

Under PHIPA, the hospital is a health information custodian and the physician is an agent of the hospital.

During the IPC investigation, the physician confirmed he “accessed the health information in response to his concern about the individual’s well-being.”

“I know now that proceeding in this way was misguided and wrong.” He would never disclose the information to anyone; that would be a violation of patient privacy and a breach of doctor – patient confidentiality.

The physician acknowledged he did not fully appreciate the related but distinct concepts of patient privacy, the circle of care, and the ‘need to know’ principle.

Confidentiality rights arise out the special relationship between the client and the health professional or provider.

In contrast, privacy rights are the general rights of all persons to limit the access to their PHI. Individuals have the right to privacy, even after death.

Individuals have the right to #privacy, even after death. Click to Tweet

4 Step Response Plan

The hospital received a complaint from the family, which triggers the first step to spot and stop the breach.

Secondly, the hospital did an initial investigation to evaluate the risks of the incident. Later, after the IPC initiated their complaint investigation, the hospital re-visited the internal investigation and completed a comprehensive review and used audit log reporting tools to assist them.

Eventually, the hospital took the third step and notified the individuals’ family of the privacy breach. However, the notification was not timely. A more comprehensive response to the families’ complaint, followed by a notice to the family may have provided a better response.

Preventing a similar breach is the fourth step.

Since this incident, the hospital has:

  • installed a new auditing program that considerably enhances its ability to detect unauthorized access.
  • updated its Privacy and Confidentiality Policy, which applies to all agents of the hospital.
  • developed a yearly electronic privacy training program for all staff, volunteers and learners and will require all credentialed physicians to complete this training as part of the annual reappointment process.
  • strengthened the privacy warning on its electronic system, which warns users that unauthorized use of personal health information may result in disciplinary action.

Privacy Breach Physician Sanctions

 

The hospital’s Medical Advisory Committee recommended to the Board of Directors that the physician’s privileges be suspended for three months, that the hospital conduct enhanced monitoring of the physician’s access to the electronic medical record for three years, and that, on his return to practice, the physician be required to present at Grand Rounds on the topic of privacy.

The IPC concluded that the disciplinary consequences for the physician were sufficient in the circumstances.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Privacy awareness education is more than just having policies and procedures. Demonstrating good practices, regular discussion about examples, and even gamification helps to ensure that all members of your healthcare team understand their roles and responsibilities.

If you need to start or update your privacy awareness training program, check out the on-line education Privacy Awareness in Healthcare: Essentials.

If you need to start or update your privacy breach management program, check out the 4 Step Response Plan; Prevent Privacy Breach Plan.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE Training Video "Can You Spot the Privacy Breach?"

References and Resources

Dewhirst, Kate. After Death: Who Can Access The Records Of A Patient After Death? May 7, 2019. https://katedewhirst.com/blog/2019/05/07/after-death-who-can-access-the-records-of-a-patient-after-death/

Ontario Information and Privacy Commissioner IPC Investigation Report PHIPA DECISION 74 HC15-4 Sault Area Hospital August 10, 2018.

#PrivacyBreachNugget, 4 Step Response Plan, clinic, complaint investigation, death, deceased, healthcare, IPC, medical, Ontario, PHIPA, privacy, privacy after death, privacy awareness training, privacy breach, privacy breach nugget, privacy principles

When Do You Need a PIA Amendment?

Posted on July 23, 2019 by Jean Eaton in Blog

A Privacy Impact Assessment Is Good For Business

A privacy impact assessment (PIA) is part of a regular business process if you collect, use, or disclose personal health information in your healthcare practice. When you have a previous PIA that has been prepared, submitted to the Office of the Information and Privacy Commissioner (OIPC) and it has been accepted for use–well, that is not the end of your PIA journey.

You need to ensure that you are updating and amending your PIA as your practice matures and as you make administrative and technical changes to the procedures in your practice.

You need a PIA Amendment when you have a previously accepted PIA and any one of these common triggers below.

You Have a PIA That Was Written More Than 2 Years Ago

It is time to review and update this!

Under Section 8(3) of Alberta’s Health Information Regulation, custodians must periodically review the safeguards they have in place to protect health information privacy. This means that custodians need to regularly review the privacy risk mitigation plans set out in PIAs to ensure they continue to protect against reasonably foreseeable risks to the privacy of health information. The submission of your PIA to the Office of the Information and Privacy Commissioner (OIPC) is mandatory and must precede implementation of your new system or practice.

Change in Health Information Act (HIA) Legislation and Regulations

The HIA has undergone significant amendments in 2006, 2010, most recently in August 2018. Make sure that you have updated your privacy breach management program and include mandatory privacy breach notification to the (OIPC) and the Minister of Health (MOH). Again, ensure that your team training has been updated so that they know how to spot, stop, and report a privacy breach. (See Mandatory Privacy Breach Notification)

Changes In Your Electronic Medical Record or Computer Network

You have the same EMR database, but maybe the configuration has changed. For example, a change from a local to an application service provider (ASP) or cloud-based data centre or Software as a Service (SAS) model would trigger a PIA amendment.

Another trigger is a change in your computer network vendor or changes in wireless networking, remote access, or implementing mobile devices.

PIA amendment EMR computer network

Change in Participating Physicians / Privacy Officer

Since your original PIA, you may have new custodians, including physicians, registered nurses, chiropractors, and other health professionals named in the HIA that have joined or left your practice. Your Privacy Officer may have changed, too. Your amendment should include an up-to-date listing of custodians and privacy officers.

New Users / Information Sharing

There have been many recent information sharing initiatives in healthcare. You might now plan to participate in evaluation projects, patient panel management, or other community initiatives. Make sure that you have your PIA amendment and information manager agreements completed, too. (See – The Top 3 Agreements Your Healthcare Practice MUST Have (and Why).

A quick word of caution: if your new information sharing project includes data matching–the creation of new information by combining two or more sets of data—requires custodians to prepare a privacy impact assessment before performing data matching involving health information (HIA sections 70, 71). The custodian that carries out the data matching is responsible for preparing the Privacy Impact Assessment.

PIA amendment new users

Communicating With Patients

If you are adding new technology to keep in touch with patients for appointment reminders, on-line appointment booking, secure email or patient portals, these will trigger a PIA amendment or, perhaps, a project specific PIA. Make sure that your policies and procedures are up to date, too. (See – Can You Use Text Message With Your Patients? )

PIA Amendment Communicating with patients

Alberta Netcare Portal (ANP) / Community Integration Initiative (CII) / CPAR

ANP updated their PIA in 2016 and, therefore, you need to make sure that your corresponding policies and procedures and training have been updated, too. Remember – when you agreed to participate in ANP, you promised that you would review your threat risk analysis (TRA) and update your Provincial Organization Readiness Assessment (p-ORA) when changes occur and at least every two years.

If you want to participate in new initiatives like CII and CPAR, you need to review and update both your PIA and your p-ORA, too.

Maturing Practice

You have learned and grown since your original Privacy Impact Assessment submission. Have you implemented everything that you said that you would? Can you demonstrate that your teams have received privacy and security awareness training? Have you reviewed your Health Information Management Privacy and Security policies and procedures in the last two years?

Keeping up to date without any other significant changes to your practice may not trigger a Privacy Impact Assessment amendment. Make sure that you document your careful review so that you are prepared for your next Privacy Impact Assessment submission.

Important Business Decisions

Creating and reviewing your PIA regularly can help you to spot errors or gaps between the way that you do the work in the clinic and the way that you said that you were going to implement in your clinic.

The questions that we ask during the PIA process are important. The time that you take now to identify the potential risks and prevent those incidents from happening may save you time, money, reputation and even jail time in the future.

You Know Your Practice Better Than Anyone Else

When you have a coach to guide you through the PIA amendment process, provide you with templates, and give you feedback on your work in regular live training webinars, join me in the on-line step-by-step course, Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments.

Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments

Find out more here: Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments or send me an email.

Practice Management Nuggets Podcast

This topic is included in our Practice Management Nuggets podcast! Be sure to tune in to the podcast episode

When Do You Need a PIA Amendment? | Episode #078

Listen to the Podcast
#PrivacyImpactAssessment, #ProtectYourPractice, Alberta, clinic, health care, Health Information Act, healthcare, HIA, how to do a pia, medical, Netcare, PIA, Privacy Impact Assessment, privacy impact assessment amendment, training

How To Capture Patient Satisfaction With CareSay

Posted on July 2, 2019 by Jean Eaton in Blog

‘This call may be recorded to ensure quality control.’

We’ve all heard the recorded message when we call our bank or service provider .

But, is this the best way to capture patient satisfaction with their healthcare visit experience?

Are you looking for options to capture patient satisfaction with their interactions with your office staff during phone calls and their entire visit?

There are other options that require less technology, easier to implement, respects privacy, provides a more meaning constructive, helpful, feedback for your clinic team and engages your patients to improve their satisfaction.

I reached out to Brian Lee from Custom Learning Systems about his suggestions on how to explore patient satisfaction.

Brian Lee is my guest expert on Practice Management Nuggets Podcast for Your Healthcare Practice. Brian Lee is one of North America’s leading experts in the field of World-Class patient experience, staff engagement and culture change.

In this 16 minute episode, Brian Lee, shares options for the healthcare provider and business owner to easily capture and measure the patient's experience and give them an opportunity for feedback so that you can improve patient satisfaction and patient care in your healthcare practice.

 

Brian Shares His Key Tips Including

  • Options to create a patient experience survey (including CGCAPS).
  • New tools that empowers the patient to provide clinics with feedback about their experience.
New tools empowers the patient to provide clinics with feedback about their experience.Click to Tweet

My Favorite Takeaways From The Podcast

  1. Ensure that we do constructive, positive education with our caregivers.
  2. Measure the patient's experience.
  3. Empower the patient to provide the clinic and the caregivers with feedback.

Be sure to tune in to my interview with Brian Lee on How To Capture Patient Satisfaction With CareSay | Episode #077

Then, click here to get the free CareSay Review app: the unique new app to help you Connecting service providers and patients in a whole new way!

If you are a member of Practice Management Success, login here and view the webinar replay.

#digitalhealth, #PatientCenteredClinic, #PatientEngagement, #PracticeManagementNuggets, Brian Lee, CareSay, CGCAP, clinic, Everyone's a Caregiver, healthcare, medical, patient centered clinic, patient satisfaction, podcast, review

Are You Drowning in Patient Referrals?

Posted on May 13, 2019 by Jean Eaton in Blog

Are you drowning in patient referrals?

Playing telephone tag with specialists and patients?

Faxing is old technology, a massive time waster, and can be very costly both financially and emotionally when faxes get lost in the system.

In our Practice Management Nugget Webinars for Your Healthcare Practice series on October 12, 2017, I spoke with Dr. Denis Vincent, Physician Founder of ezReferral. There are many things that you can do right away to improve patient referral management.

Dr. Denis Vincent's #1 Tip to improve the patient referral process:

“Find more effective ways to involve and engage the patient in the referral process.”

 

The traditional referral workflow is inefficient

string telephoneUsing phone and fax messages from the referring provider to the consulting provider and back to the referring provider and then to the patient takes time. And every time that the message is transferred, there is a risk that the message is not understood or is lost.

So, we have a tendency to create complicated backup systems to double-check and make sure that none of the steps get missed. Many practices have created a ‘referral binder’ monster – the master referral list for the clinic. This binder is full of post-it notes, tags, and phone messages and reminders to help us make sure that the referral appointment is booked, the patient is notified, and the appropriate follow-up takes place.

Patient Referral BinderEven in practices with an electronic medical record (EMR), we use a paper process to ‘make it easier’ to track patient referrals.

But the binder can only be used by one person at a time and only seen by the people in that office. The patient has no idea about the status of their referral so they phone the office regularly to ask for updates.

Receptionist phoneBut wait! We want to make sure that everyone knows what is happening with the referral. We leave phone messages and voice mail and talk to the patient, the specialist, the referring provider to remind, confirm, and follow-up.

 

Save 60 minutes for each patient referral

Denis Vincent suggests that his family physician office referral coordinator used to spend an average of 75 minutes on each patient referral. That referral cycle can take months just to get to the point where the specialist appoint is confirmed and the patient is notified.

Now, using ezReferral, the entire referral process takes an average of 15 minutes of staff time per patient referral. That is a savings of 60 minutes per referral!

You can do this when you use a synchronous patient referral management system. EzReferral is a secure cloud-based solution that manages the patient referral process with clear real-time communication that the referring provider, specialist provider, and the patient can see at any time.

Multi-disciplinary healthcare team

Multidisciplinary referralezReferral is designed to work with any multi-disciplinary referral pattern in your practice. For example, family physician to specialist physician or any other healthcare provider.

14 days from referral order to confirming appointment. Can you do that?

Starting in January 2017, physicians in Alberta must meet new time frames for acknowledging and responding to referral requests. If you are asked to consult on a patient, you will have:[1]

  • 7 days to acknowledge receipt of the request to the referring healthcare provider.
  • 14 days to let the referring healthcare provider know whether you can accept the referral.
  • 14 days to contact the patient to schedule an appointment or to confirm the status of the referral, if no appointment date has been determined.
  • 30 days to provide the referring healthcare provider with a written report after your first appointment with the patient.
  • Consulting physicians will also need to be reasonably available to respond to referral requests and ensure their process is accessible.
  • Referring physicians will have to make sure they include all pertinent clinical information (including relevant investigation results) and the purpose of the consultation with their request, to enable the consulting physician to determine whether he/she can accept the referral within the mandated 14-day time frame.

([1] College of Physicians and Surgeons of Alberta)

These are good standards to meet for every type of healthcare provider.

You can meet these standards when you use a synchronous patient referral management system. EzReferral is a secure cloud-based solution that manages the patient referral process with clear real-time communication that the referring provider, specialist provider, and the patient can see at any time.

ezReferral Patient Text Message

Patient Benefits

  1. Patient Engagement
  2. Patient Satisfaction
  3. Patient Peace of Mind
  4. Better Patient Care

Referrer Benefits

  1. Happier patients
  2. Reduce workload
  3. Eliminate the “black hole”
  4. Satisfied Staff

Specialist Benefits

  1. Reduced workload
  2. Reduce no-shows
  3. Reduce phone calls
  4. Reduce overhead
  5. Audit trail


Testimonial from Edmonton Eyelids

“Our office has been using ezReferral since July 2016. It’s easy to rave about this powerful communication tool – each referral received through this system takes a fraction of the time required through our faxed referral system, due mainly to the fact that most patients choose to receive referral notifications by text and/or email (thereby eliminating the “middle ground” in which some referrals can get lost). What truly sets ezReferral apart from ANY online interface that I have ever used: the support staff is accessible, proactive, and fast.”

Shawna Sazwan
Edmonton Eyelids

Dr. Vincent has implemented ezReferral in his family practice. I have to admit, I’m blown away with his experience that 95% of the patients choose to receive their notifications by text messaging. That’s much better than I anticipated.

This solution is ideal for healthcare practices with referrals within the medical community and even better when you are working with multidisciplinary referral teams. This works well for both paper based and electronic medical record based practices.

Watch the webinar replay now to see how you can save time, money, while improving the patients’ access to health care in a timely, efficient manner. You will also discover the key steps and timelines to prepare for implementation in your practice.

Practice Management Nugget webinar interview with Denis Vincent  was recorded live on October 12, 2017.

 

Watch the Webinar

 

If you are a member of Practice Management Success, login here and view the webinar replay and access the members-only resources.

#PracticeManagementNuggets, Dr. Denis Vincent, ez Referral, ezReferral, fax, health care, healthcare, medical, patient referral management, practice management, review ezReferral

Fax Received in Error – Is this a Notifiable Privacy Breach?|

Posted on March 28, 2019 by Jean Eaton in Blog

Has this ever happened to you?

You are a clinic manager in a healthcare practice. One day, you receive a phone from a healthcare provider in another clinic.

They have received a fax with patients’ health information from someone in your clinic. But the fax is not addressed to them – they received it in error.

Is this a mandatory notifiable privacy breach under Alberta’s new Health Information Act (HIA) regulations?

Part A: Circumstances Where Notification Is Required

There are 5 triggers under the Alberta Health Information Act (HIA) that require mandatory privacy breach notification to the Office of the Information and Privacy Commissioner (OIPC) and the Alberta Minister of Health and the individual(s) affected in the breach.

In this scenario, the  receiving custodian accessed health information for an individual who was not his patient. Clearly, there is a reasonable basis to believe that the information has been accessed (read) by a person (section 8.1(1)(a) of the Health Information Regulation.)

However, the sending custodian had no reason to believe that the information would be misused.

Fax Sending Receiving Error

Part B: Circumstances Where Notification Is Not Required

 The sending custodian assessed the circumstances of the breach and concluded (as per section 8.1(1)(i) of the Health Information Regulation) that the receiving custodian:

  • Accessed the health information in a manner consistent with his role as a health services provider and did not do it for an improper purpose.
  • Is subject to confidentiality policies and procedures that meet the requirements of section 60 of the Act.
  • Did not use or disclose the information beyond determining that he received it in error.

The sending custodian assessed that the risk is appropriately mitigated and this privacy breach incident did not trigger mandatory notification requirements. 

Next Steps

The sending custodian must record the privacy breach in their business records. (I suggest that you use an internal privacy breach reporting form and spreadsheet. You can access these templates in the 4 Step Response Plan.) Remember to include your determination that you do not need to report this breach and the reasons that support your decision.

We know that faxes are a frequent source of privacy breach incidents. What can you do in your practice to reduce the risk of faxes in error?

Practice Management Nuggets Podcast

This topic is included in our Practice Management Nuggets podcast! Be sure to tune in to the podcast episode Fax Received in Error – Is this a Notifiable Privacy Breach? | Episode #067 .

Listen to the Podcast

My Favorite Takeaways From the Podcast

  1. Understand the mandatory privacy breach notification triggers and the circumstances where notification is not required.
  2. Record your privacy breaches – even the ones that do not trigger mandatory privacy breach notification.
  3. Review and improve your fax procedures. We know that this continues to be a frequent source of breaches. What can you do to better manage this known risk?

If you are a member of Practice Management Success, login here and view the webinar replay.

#PracticeManagementNuggets, clinic, fax, healthfare, mandatory privacy breach notification, medical, podcast, privacy breach
12345

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

Thank you so much for the webinar [on Privacy Breach]. It was very informative and thought provoking.

- Sheryl McCormick, Executive Director, Cold Lake Primary Care Network

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2020 Information Managers Ltd.