Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

Add Custodians To Your PIA

Posted on December 28, 2020 by Meghan in Blog

Add Custodians To Your PIA

Congratulations! You have expanded your practice and recruited a new healthcare provider to your team. Now you also need to add a custodian your PIA.

To do this, you need to orientate the provider to your practice including the policies and procedures to protect the privacy, confidentiality, and security of the personal health information and inform the Office of the Information and Privacy Commissioner (OIPC).

When the new healthcare provider is a member of a regulated health profession as defined by the health privacy legislation in Alberta, the Health Information Act (HIA), the provider also has responsibilities as a custodian.

HIA Definitions:

Custodian

A health service provider; specifically, a member of the following regulated health professions: Optometrists, Opticians, Chiropractors, Midwives, Podiatrists, Denturists, Dentists and dental hygienists, Registered nurses, Pharmacists, and Physicians (and others).

Affiliate

An employee of a custodian or as designated by the custodian, for example medical office assistant, receptionist.

The incoming custodian must ensure that the reasonable safeguards to project the administrative, technical, and physical safeguards of the personal health information are implemented in the practice. This includes ensuring that they have reviewed the current privacy impact assessment (PIA).

The lead custodian also has an obligation under the Alberta Health Information Act (HIA) to inform the Office of the Information and Privacy Commissioner (OIPC) when there are changes to the organization management of the clinic.

 

How To Add Custodians To Your PIA

In Alberta, the lead custodian in a clinic must update their PIA regularly and inform the OIPC when there are significant changes to their PIA.

One common trigger for informing the OIPC  is the addition of a custodian to the practice. Often, this PIA amendment can be as simple as a letter to the OIPC.

  1. The lead custodian or privacy officer will prepare an amendment to the previously submitted Privacy Impact Assessment when new custodians join the practice. Often a letter to the OIPC signed by the lead custodian is sufficient.
  2. The PIA amendment must include how the custodian has been made aware of the current PIA and how they are meeting their requirements to enter into an agreement with information managers as defined in the Health Information Act section 66.
  3. The lead custodian will submit the PIA amendment to the OIPC for acceptance.
  4. The new custodian must acknowledge that they have been informed of the Health Information Privacy and Security Policies and Procedures and the submitted PIA and agree to follow these practices. The new custodian will sign the letter to the OIPC and attach it to the PIA amendment from the lead custodian (in step #1 above) to the OIPC for acceptance.

 

Routine Onboarding Of New Employees

Before the new custodian is granted access to patient health information, your computer network, and your electronic medical record (EMR), you need to ensure that new custodians are aware of your Health Information Privacy and Security Policies and Procedures, PIAs, and information manager agreements, including the information management agreements with Alberta Netcare Portal, patient records management, EMR vendor, billing vendor, and/or others.

You should have a written policy and procedure ‘When a New Physician / Custodian Joins Your Practice’ to guide you when onboarding new custodians. The procedure should include the forms below and template letters to the OIPC. These templates are also available to members of Practice Management Success.

Add custodians to your PIA
Do You Need Help With Your PIA?

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Top 3 Agreements Your Healthcare Practice MUST Have (and why)

What Is a PIA?

How Do You Declare as an Affiliate?

Podcast – Close, Move, Merge Your Practice | Episode #090

Alberta, amendment, custodian, dental, Health Information Act, medical clinic, OIPC, PIA, Privacy Impact Assessment

OIPC Annual Report

Posted on December 27, 2020 by Meghan in Blog

Alberta Office of the Information Privacy Commissioner Annual Report

Recently, the Alberta Office of the Information Privacy Commissioner (OIPC) released their Annual Report 2019/2020.

The report is from April 2019 to March 2020. This is the first full year of mandatory privacy breach reporting requirements in Alberta.

Because of the volume of the privacy breaches, the OIPC have now chosen to triage privacy breach reports. They are fast tracking any of those breaches where individuals have not yet been notified about that privacy breach or where there is a potential offense is suspected.

If you've submitted a privacy breach report to the commissioner's office and haven't heard from them yet, it may be because it's gone through this triage process and, if you have completed an internal investigation and notified affected individuals, your breach report has not been flagged as a high priority.

OIPC Report

OIPC Investigations

The OIPC conducted investigations regarding offences under the Health Information Act (HIA), usually privacy beaches. In that time period, they forwarded 18 cases to the Special Prosecutions Branch of Alberta Justice for further investigation. 

Privacy Breach Trends

There were some interesting privacy breach trends that were reported by the commissioner's office that were reported to them under the PIPA legislation, the Personal Information Protection Act. Of the cases that were reported to them, a hundred of them were all electronic systems compromises. So they have lost some security in the computer network system of some kind, either that was in their direct control or by a third party vendor.

Human error is still a large source of privacy breaches. This can include both misdirected communications, such as miss-sent snail mail, email, or faxes; and unauthorized disclosure, such as when health providers discuss health information with other providers not involved in the patient care.

There were also 20 incidences of theft that they noted in this report and it included rogue employees.

Snooping continues to be an issue, although the report did not provide numbers to go with that.

Ransomware is also a serious issue, one that the commissioner office predicts to continue, particularly in clinics who have a lack of technical security controls on their computer systems.

Social engineering, which is tricking someone into divulging information based on false pretenses and assumptions, is a significant danger in the healthcare industry.

 

Social Engineering Example

Somebody posed as a pharmacist and wrote emails to pharmacies in order to get information about a particular patient. The email reads like the patient traveled from one location to another location and the fraudulent pharmacist is asking their buddy pharmacists at the other location to provide some information. 

This social engineering campaign was considered a significant threat and the college of pharmacists actually released an advisory to pharmacies to warn them of this social engineering attack.

This is a good word of caution for all of us is to not make assumptions just because somebody's email signature line says a pharmacist or other healthcare provider. We still need to make sure that we have verified the identity of that individual and not rely on that email signature alone.

You can download the report from the OIPC website. It provides a variety of other statistics and examples about investigations reports and privacy breach trends that may be of interest to you.

Download the OIPC Annual Report Here

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

4 Step Response Plan – Prevent Privacy Breach Pain On-line Webinar

5 Low Cost Steps You Can Take Now To Prevent Employee Snooping In Healthcare And Prevent Privacy Breach Pain

Snooping Conviction Earns 3 Years' Probation

Keeping Privacy Active in the Minds of Clinic Staff

3 Parts To Every Privacy Awareness Training Plan

What Healthcare Providers Need to Know About Computer Security and Standards

Health Information Act, medical clinic, OIPC, privacy and security, privacy breach

Do You Need a PIA for Remote Working or Virtual Care?

Posted on March 31, 2020 by Meghan in Blog

If your healthcare practice is implementing remote working or virtual healthcare, you need to notify the OIPC.

Health information is sensitive information. Reasonable efforts must be made to ensure that identifying and sensitive information is protected from unauthorized access, loss, or damage during and outside work hours. What a custodian may consider is reasonable efforts during a pandemic may be different than reasonable efforts from normal circumstances.

In Alberta, section 64 of the Health Information Act (HIA) requires custodians to prepare a privacy impact assessment (PIA) and submit it to the Office of the Information and Privacy Commissioner (OIPC) of Alberta prior to implementing a new administrative or technical process in a healthcare practice.

The OIPC in Alberta requests in its notice of March 19, 2020, that custodians notify the Commissioner about new administrative practices or information systems.

How Do I Notify The OIPC?

Step 1: If you have implemented, or plan to soon implement remote working, virtual care or other administrative or technical changes in response to the COVID-19 pandemic, send an email to the OIPC to inform them, in general terms, about your plans.

Step 2: As soon as possible, submit a project specific Privacy Impact Assessment to the OIPC.

To help you get started with Step 1, I have prepared a sample email that you can use.

Yes, send me the Sample Email to the OIPC!

Not sure if remote working is right for your healthcare practice?

Check out the The Practice Management Success Tip, Remote Worker Privacy and Security Checklist, will help you:

  • Determine if remote working is appropriate for your employees.
  • Identify what clinic / business resources need to be provided to the employee remote worker.
  • What reasonable safeguards need to be implemented to protect the privacy, confidentiality, and security of personal (health) information.

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

What Should I Do If I Think I Have COVID-19?

Do You Know Where Your Policies and Procedures Are? 

Is Remote Working a Good Choice for Your Healthcare Practice?

Notice of Collection for Telemedicine and Virtual Health

 

healthcare, medical, OIPC, pandemic, physician, PIA, remote working, risk assessment, virtual healthcare, work from home

When is a Privacy Breach a Privacy Breach?

Posted on July 13, 2019 by Jean Eaton in Blog

The biggest mistake in managing a privacy breach is not recognizing the privacy breach.

The second biggest mistake is not knowing what to do about it.

The recent publicity about the privacy breach in Alberta when a laptop with health information was stolen and came to the public's attention several months later is not the first news item of its kind.  In fact, this happens frequently in healthcare, retail, government departments and other industries.  This doesn't make it any easier to swallow and certainly doesn't make it right.  But this is an opportunity for you, healthcare provider or practice manager, and vendor to make sure that you have good practices in place to manage your next privacy breach.

Health information is recognized as being particularly sensitive and important to the person that the information is about.  It is so important, in fact, that a new breed of legislation was developed to set out specific rules to ensure that the health information has robust safeguards (administrative, technical, and physical) to keep the health information confidential and secure.  In Alberta, the Health Information Act (HIA) was proclaimed in 2001 to help custodians (people or organizations who collect, use, and disclose health information) ensure that they have identified the risks to breach of health information and how to prevent those risks.  The legislation also ensures that the people who the health information is about have access to their personal health information.

In August 2018, amendments to the HIA were proclaimed that make it mandatory to report a privacy breach that could result in harm to the Office of the Information and Privacy Commissioner (OIPC).

Privacy breaches come in all types and sizes.  One of the most common forms of a privacy breach is when a clinic or healthcare provider intends to send a report to another healthcare provider for continuing care and treatment but it is sent to the wrong physician.  Or, the referral request went to the correct physician but included extra information about another patient that was not part of the referral.

What Is Considered a Privacy Breach?

A privacy breach is an unauthorized access to or unauthorized collection, use, disclosure , loss, or disposal of personal or health information.

To each of us, our own personal health information is important.  As a healthcare industry, we need to ensure that we recognize this and acknowledge that each privacy breach is important to the person the information is about.  We need to make sure that we minimize the risk of the information being used inappropriately or maliciously.  We need to acknowledge to ourselves and to our patients and clients that we are human and that sometimes we do make mistakes and we will strive to do better.

A ‘small' breach of one person one time might have a big impact to the individuals involved.

A ‘big' breach of a lost laptop might have a bigger magnitude affecting many individuals.

When a breach also meets the requirements of mandatory notification, a custodian must report the breach regardless of how many people's information have been included in the breach.

4 Step Response Plan

When you have a privacy breach, follow these four steps to manage the privacy breach incident.

Step 1 – Spot and Stop the Breach

Each breach is important and needs to be recognized. Contain the breach so that it doesn't get any bigger.

Step 2 – Evaluate the Risks

Your privacy officer will investigate the incident and learn about the size, scope, and details about the breach. Consider if there is a reasonable basis to believe that there is a risk of harm to an individual

Step 3 – Notify

Notify the custodian, the affected individuals and (now, with the 2018 amendments), the Alberta OIPC, Minister of Health, Alberta Health (if the breach includes Netcare) and others.

The individual who's information has been breached needs to be made aware of the problem and the risk that might be experienced so that they can be prepare to limit the risks. The custodian needs to know how to manage the privacy breach and report it – internally and perhaps to other stakeholders.

Step 4 – Prevent the Breach From Happening Again

Correct and monitor the incident(s). Actively take steps so that the breach does not happen again.

Not Sure What To Do?

You never know when a privacy breach will happen! Prepare now with a privacy breach management program and coaching from the Practical Privacy Coach!

Learn what to do if you have a privacy breach.

4 Step Response Plan, Alberta, breach, Health Information Act, HIA, OIPC, privacy, privacy breach, training

Pharmacist Used Health Information for Personal Reasons

Posted on January 4, 2014 by Meghan Davenport in Blog

A Calgary pharmacist has been cited for using the health information of a patient in an attempt to establish a personal relationship with her.

The woman complained to the Information and Privacy Commissioner, alleging that the relief pharmacist employed at a pharmacy in Calgary, had contacted her twice by phone and attempted to “friend” her on Facebook.

The Health Information Act (HIA) prohibits employees from using health information for purposes not required to do their job. The investigation by the Privacy Commissioner found that the pharmacist misused health information, and that the pharmacy manager had failed to provide privacy and security training to the pharmacist.

The pharmacy had access to privacy policies and training but the pharmacist in question was not made aware of these policies by the pharmacist manager. The investigation concluded by reinforcing the need for following through on administrative and technical safeguards and training for all staff.

Do you provide privacy training for all of your staff – including professional healthcare service providers?  How do you document that each staff has received the training?  How often do you re-fresh or update the training?  A privacy management program is an important part of your responsibility as a healthcare provider, practice management  and business owner.  See our training programs for additional resources you can use right away.

For more information, check out the full OIPC Investigation Report H2013-IR-02

You can also read the Calgary Herald article (Dec 17, 2013) here

Alberta, breach, complaint, Health Information Act, HIA, OIPC, privacy, privacy breach

Alberta Netcare: What are your Patient Rights?

Posted on January 25, 2013 by Jean Eaton in Blog

Primary Care Providers may expect their patients to be asking more questions about Health Information in Netcare. Review this information and your policies and procedures with your staff so that you know how to respond.

In order to mark Data Privacy Day 2013 (January 28, 2013), the Information and Privacy Commissioner of Alberta, Jill Clayton, has announced a new initiative to inform Albertans about their privacy rights.

Under the authority of the Health Information Act (HIA), your health information is available through the province-wide electronic record system named Alberta Netcare. Netcare is a network of information systems that allows authorized users to see prescriptions, lab results, diagnostic images, and hospital reports. It is used throughout Alberta in hospitals, and in medical clinics and pharmacies.

Consent to have your health information in Netcare is not required by law, but you do have rights that allow you to exercise privacy control.

With the provincial electronic health record system, Alberta Netcare, you have the right to:

Know why your health information is collected and whether it is available in Netcare
Know what information about you is in Netcare by asking for a print-out
Limit access to your Netcare record by asking for your information to be masked
Know who has looked at your information in Netcare
Request that errors be corrected
Ask the Information and Privacy Commissioner to review or investigate if you are not satisfied with a decision or response you receive about any of these rights

See the OIPC webpage and contact information, visit: http://www.oipc.ab.ca/pages/HIA/NetcareKnowYourRights.aspx

To view the News Release from the OIPC, visit: http://www.oipc.ab.ca/Content_Files/Files/News/NR_Netcare_Know_Rights_Jan_2013.pdf

access, Alberta, electronic health record, Health Information Act, Netcare, OIPC, patient rights, privacy

Charges laid under the Health Information Act

Posted on October 31, 2012 by Jean Eaton in Blog

A self-reported breach by an individual to the Office of the Information and Privacy Commissioner resulted in an offence investigation being opened into suspicious access to health information. The completed investigation, after being referred to Crown prosecutors at Alberta Justice, led to thirty-one charges under the Health Information Act being laid for improperly accessing other individuals’ health information. Another charge was laid for inappropriate use of health information, another for inappropriate disclosure of health information, and one more charge for knowingly falsifying a record. In addition to these thirty-four charges under the Health Information Act, six charges were also laid under the Criminal Code.

The Calgary Herald reports that Brian Hamilton, OIPC Director for the Health Information Act, would only confirm the accused is not a doctor or other medical professional. The matter will be heard in Airdrie Provincial Court on Thursday, October 18, 2012.

The Edmonton Journal also reported that, in addition to the charges under the Health Information Act, the accused may face up to six Criminal Code charges.

Each organization has a responsibility to ensure that their employees (affiliates) receive education and training in their roles and responsibilities under the HIA. Information Managers can help you by providing training on-site and now by webinar. Click here for more information.

For more information, see:
the OIPC Website (http://www.oipc.ab.ca/Content_Files/Files/News/NR_Oct_2012.pdf)

http://www.calgaryherald.com/health/Charges+laid+improper+access+health+files/7400003/story.html

http://www.edmontonjournal.com/health/Alberta+Justice+lays+charges+improperly+accessing+health+information/7399425/story.html

access, Alberta, complaint, disclosure log, Health Information Act, HIA, improperly accessing health information, OIPC, privacy, privacy breach, training

Calgary pharmacy found in violation of patient privacy rules

Posted on October 31, 2012 by Jean Eaton in Blog

Remember the Privacy Principles – least amount of information, on a need to know basis? This recent investigation report from the OIPC reminds us to review our practices to collect information from patients to ensure that we are meeting our best practice standards.

An investigation into a southwest Calgary Co-op pharmacy has found its practice of collecting information on the immune status of an individual when they seek administration of an injection contravenes the Health Information Act.

A patient of the pharmacy contacted the privacy commissioner in April 2012 after he was presented with a form that asked if he had a condition that affects the immune system when he went to the Co-op Shawnessy Centre Pharmacy to receive a vitamin B12 injection.

The patient feared being stigmatized due to an immune disorder that he suffered from, and felt that the amount of information being demanded was excessive. He filed a complaint after being refused treatment without providing the information.

The Health Information Act specifies that custodians must only collect the most limited amount of health information to carry out an intended purpose.

For more information, see:
http://www.calgaryherald.com/health/Calgary+Pharmacy+found+violation+patient+privacy+rules/7346243/story.html

complaint, Health Information Act, HIA, OIPC, privacy, privacy principles

Privacy commissioners call on small- and medium-sized businesses to look before they leap into the cloud

Posted on June 16, 2012 by Jean Eaton in Blog

Privacy commissioners call on small- and medium-sized businesses to look before they leap into the cloud

EDMONTON, June 14, 2012 – Increasingly today, the word cloud is almost as likely to be spoken in a conversation about computing as it would in a discussion about the weather. New guidance issued by the Privacy Commissioner of Canada, and the Information and Privacy Commissioners of Alberta and British Columbia seeks to provide insight for small- and medium-sized enterprises (SMEs) to help their forecasting of potential benefits and risks posed by cloud-based services.

Cloud computing is the delivery of computing services over the Internet. SMEs may be attracted to cloud services as they can significantly reduce the cost and complexity of owning and operating computers and networks. Businesses using a cloud service provider don’t need to spend money on information technology infrastructure, or buy hardware or software licenses. Cloud services can also enable a business to store data offsite with the ability to access it over the Internet from the office, home or virtually anywhere.

In essence, this is a form of outsourcing. Businesses need to remember however that for any information they put in the cloud, the responsibility to safeguard it to the level required by Canada’s private sector privacy laws remains firmly with them.

The guidance includes key precautions and advice, such as:

  • Pay close attention to cloud service contracts. For example, might the fine print allow for third-party disclosures of the information stored?
  • Are your customers aware that their information might be outsourced to the cloud and do you have their consent?
  • Where in the world is the data stored and what law may apply? No matter what, the business outsourcing the data is responsible for ensuring it’s protected to a level expected under Canadian privacy law.

For more information see: OIPC website

cloud computing, cloud service provider, OIPC, privacy

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

"The 15 Day Privacy Challenge has given me some additional information on day-to-day responsibilities that I hadn't considered until now. Each Privacy Challenge has been so informative and I've been sharing it with our office staff."

- Vera, Alberta Health Services

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2020 Information Managers Ltd.