Do You Know Where Your Policies And Procedures Are?

Posted on September 2, 2019 by Jean Eaton in Blog

This is a cautionary tale.

And it could save you a lot of embarrassment – even legal issues.

The way a healthcare provider collects, uses and discloses personal health information (PHI) is critical to an efficient healthcare practice.

It’s also required by legislation and professional college regulations and standards.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. #PoliciesClick to Tweet

Don't let this happen to you!

Everyone in a healthcare practice — including front office staff, wellness practitioners and physicians and other custodians — must be aware of and follow these policies and procedures.

These policies and procedures also become the foundation of your privacy impact assessment (PIA).

That’s why, in this Privacy Breach Nugget, we’ll review a privacy breach investigation report from Alberta's Office of the Information and Privacy Commissioner (OIPC). Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

This report started with an employee suspected of accessing health information for an unauthorized purpose.

It started with at the clinic with a conflict between the employees and the employer.

An employee (Employee A) was on leave from her position at the clinic. Her access to the electronic medical record (EMR) was suspended during her leave.

Employee A wanted to access patient information to support her dispute with management. Over two months, Employee A used Employee B’s credentials to access patient records.

This action is in contravention of the Health Information Act (HIA) sections 27 and 28.

This is where this case becomes even more convoluted and, in fact, a better case study of what not to do.

Employee Dispute

Understanding the Health Information Act

The Health Information Act (HIA) requires the custodian (the physician, in this case) to take reasonable steps to maintain administrative, technical, and physical safeguards to protect patient privacy as required by sections 60 and 63 of the HIA, and section 8 of the Health Information Regulation.

In November 2013, the clinic submitted a privacy impact assessment (PIA) to the OIPC prior to its implementation of an electronic medical record (EMR).

The PIA included written policies and procedures.

The letter to the OIPC accompanying the PIA was signed by two physicians, as well as Employee A who was the privacy officer at that time.

The physician named in the investigative report is not the current custodian at the clinic. The physician was hired in 2015 and therefore not a member of the clinic in 2013 and not involved in the initial PIA submission.

During the investigation, both employees indicated that the policies and procedures to protect patient privacy were in a binder in the clinic, but it was never used or shared with the staff.

Oaths of confidentiality may have been previously signed by the employees, but the documents could not be produced during the investigation.

Section 8 (6) of the Regulation states the ‘custodian must ensure its affiliates are aware of and adhere to all of the custodians administrative, technical, and physical safeguards in respect of health information.’

It’s common practice for clinics to require employees to sign confidentiality agreements and ensure that they receive patient privacy awareness training with regular updates.

But in this investigation, the employees said they never received privacy awareness training.

Policy and Procedure Manual

Access To Patient Information

The employees also stated it was common practice at this clinic for individuals to not log off of their EMR account on the computers at the reception desks. It was common practice for other employees to access an open session to quickly perform a task in the EMR.

The investigator concluded that the physician was in contravention of the HIA section 63(1) which requires custodians to establish or adopt policies and procedures that would facilitate the implementation of the Act and regulations.

These specific findings were made:

The custodian failed to ensure the clinic employees were made aware of and adhered to the safeguards put in place to protect health information in contradiction contravention of section 8(6) of the regulation.
The custodian was in contravention of section 8(6) of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to all of the custodian’s administrative, technical, and physical safeguards with respect to health information. It’s important to note any collection use or disclosure of health information by an affiliate of a custodian is considered to be the collection, use, and disclosure by the custodian.
The custodian failed to ensure the employee and the other clinic staff adhered to technical safeguards as required by section 60 of the HIA and section 8(6) of the regulations.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Get Your Privacy Documents In Order

To protect yourself and your practice from patient privacy breaches (and massive fines, see the conclusion to this article), follow these steps.

Find your policies and procedures and review them with all staff and custodians. Make sure you document that this has been done.
Review and update your privacy awareness training and ensure all staff, including custodians, have completed this recently. Make sure you have this documented, including certificates of attendance if available.
Oath of confidentiality documents should be signed by all of all clinic staff and custodians and maintained in a secure location.
Review your privacy impact assessment and ensure all of your current custodians have read this and understand it. Visit this post for more information to help you determine if you need a PIA amendment.

Monitor

This incident occurred in 2016. The OIPC office did not recommend any additional sanctions against the clinic, physicians, or employees.

To get templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership

New Amendments To The HIA

This case might have turned out differently today.

New amendments, as of 2018, provide a provision for fines under the HIA ranging from $2,000 to $200,000.

The public — and our patients — expect and trust us to make sure that their personal health information is kept secure and confidential.

It’s our responsibility to make sure we have these administrative, technical, and physical safeguards in place and are maintained in a consistent fashion.

When you've done the hard work to implement your patient privacy policies and procedures and your privacy impact assessment, make sure you continue your journey and keep these documents up-to-date and current. To help you, sign up for the Practice Management Success Membership.

There are many patient privacy breaches in the news each day, and you never know when it could happen to you.

The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain. If you need to prepare your privacy breach management plan, start your on-line training 4-Step Response Plan right away!

If you need templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership. These tips, tools, templates, and training will help you save time and money to develop and maintain policies and procedures in your healthcare practice.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE Training Video "Can You Spot the Privacy Breach?"

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Safeguards: The What, Why, and How

When Do You Need a PIA Amendment?

When is a Privacy Breach a Privacy Breach?

References and Resources

Alberta Office of the Information and Privacy Commissioner. Investigation Report H2019-IR-01 Investigation into alleged unauthorized accesses and disclosures of health information at Consort and District Medical Society Clinic. May 21, 2019. https://www.oipc.ab.ca/media/996888/H2019-IR-01.pdf

#PrivacyBreachNugget, Alberta, clinic, custodian, health, Health Information Act, healthcare, HIA, medical, Patient privacy, physicians, Policies and procedures, Prevent privacy breaches, privacy, privacy breach, Privacy Impact Assessment, reasonable safeguards, templates

Meeting Leadership Podcast – Why Leaders Should Understand Privacy

Posted on September 2, 2019 by Jean Eaton in Blog

I'm tickled pink to be a guest on the 5 minute podcast with Gord Sheppard!

Meeting Leadership Podcast – Learn How To Become An Outstanding Leader Who Runs Highly Effective Meetings

On the podcast, we talked about What Leaders Need To Know To Start a Privacy Program.

Here’s a summary of our discussion.

Train Your Team About Privacy And Security

You must train your team about privacy and security in your practices.

Let me use an example. A business in Alberta had a privacy program in place in 2013. In 2018 they experienced a privacy breach where an employee was snooping and got caught. When the Commissioner's office did the investigation, nobody in that practice, nobody in that business could find the policies and procedures that they had in place in 2013. The staff told the investigator that they hadn't received any training since that time. (See the article, “Do You Know Where Your Policies Are?”)

We need to make sure that we're providing privacy and security training on a regular basis, not just on orientation. You need to keep privacy and security top of mind.

Privacy Is An Investment That Will Save You Money

Privacy awareness training and proper policies and procedures is an investment and it is part of your operating costs. It will also save you time and money by avoiding re-work and re-training. When you have good policies and procedures in place and you're making the right decisions, you're avoiding all sorts of other costs about fines, a bad reputation, poor customer service. When you build that into your practice, you're going to reap the rewards about having an efficient practice and making sure that you're meeting all those requirements.

The Benefits Of Naming a Privacy Officer

Every business needs to have a privacy officer in your organization. This is somebody that you have assigned with the responsibility to make sure that there's a privacy management program in place. Now, not all privacy officers need to know everything. They do need to know those important questions and they need to know how to make it practical for your business.

Stay tuned for an announcement about the new course, The Practical Privacy Officer starting in September.

When You Understand Privacy, You Make Better Business Decisions!

When you have good privacy practices in your business, you will make sure to also select the best vendors who can work with you that also demonstrate their knowledge and support about privacy practices. You can build privacy practices into your business contracts and your agreements. This will also help you to grow your business reputation and attract better business partners and business suppliers and better clients and customers for your organization.

I've put together a checklist for you about the 10 Key Steps To Prevent A Privacy Breach.

Download the checklist and make sure that you implement these best practices in your business.

Meeting Leadership Podcast

Learn How To Become An Outstanding Leader Who Runs Highly Effective Meetings – Daily Episodes – in just 5 minutes!

Poor communication is bad for business. At Meeting Leadership Inc. we take a unique approach to helping you learn how to communicate more effectively. First we help you turn your meetings into highly productive events that drive your organization strategy. Then we empower you with the ability to use online education to tell your story to the most important people in your world.

Check out the Meeting Leadership Podcast here!

leaders, Meeting Leadership Podcast, privacy breach, privacy management, privacy officer, privacy officer training, privacy program

Privacy Principles Applies After Death

Posted on August 5, 2019 by Jean Eaton in Blog

Are your staff looking at medical records when they shouldn’t be?

Many people have the mistaken impression they can look at a patient's medical records as long as they don’t tell anyone else.

You can’t.

We see over and over again in ‘snooping’ cases where seasoned and new healthcare providers and support team members don’t realize that looking at patient’s health information without a need to know that information to provide a health service right away is wrong.

Kate Dewhirst summarized this as

Privacy = don’t look
Confidentiality = don’t tell

We still need privacy awareness training – even those experienced healthcare providers who push back and say that they have been in the business for years still often have more to learn.

Yes, we still need privacy awareness trainingClick to Tweet

In this post I am sharing an example of the Ontario’s Information Privacy Commissioner (IPC) complaint investigation from the family of a deceased individual. Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

In 2014, a physician acting in his role as a coroner, accessed the deceased’s health record. Shortly thereafter, the family alleged that the physician, who was also a family member of the deceased, continued to access the deceased’s personal health information (PHI) contrary to Ontario’s Personal Health Information Protection Act (PHIPA).

The family submitted a complaint to the hospital. Initially, the hospital's response did not satisfy the family. The family filed a complaint to the Information and Privacy Commissioner (IPC) of Ontario.

The IPC started a complaint investigation.

Privacy Breach Investigation

Privacy Complaint Investigation

Under PHIPA, the hospital is a health information custodian and the physician is an agent of the hospital.

During the IPC investigation, the physician confirmed he “accessed the health information in response to his concern about the individual’s well-being.”

“I know now that proceeding in this way was misguided and wrong.” He would never disclose the information to anyone; that would be a violation of patient privacy and a breach of doctor – patient confidentiality.

The physician acknowledged he did not fully appreciate the related but distinct concepts of patient privacy, the circle of care, and the ‘need to know’ principle.

Confidentiality rights arise out the special relationship between the client and the health professional or provider.

In contrast, privacy rights are the general rights of all persons to limit the access to their PHI. Individuals have the right to privacy, even after death.

Individuals have the right to #privacy, even after death. Click to Tweet

4 Step Response Plan

The hospital received a complaint from the family, which triggers the first step to spot and stop the breach.

Secondly, the hospital did an initial investigation to evaluate the risks of the incident. Later, after the IPC initiated their complaint investigation, the hospital re-visited the internal investigation and completed a comprehensive review and used audit log reporting tools to assist them.

Eventually, the hospital took the third step and notified the individuals’ family of the privacy breach. However, the notification was not timely. A more comprehensive response to the families’ complaint, followed by a notice to the family may have provided a better response.

Preventing a similar breach is the fourth step.

Since this incident, the hospital has:

installed a new auditing program that considerably enhances its ability to detect unauthorized access.
updated its Privacy and Confidentiality Policy, which applies to all agents of the hospital.
developed a yearly electronic privacy training program for all staff, volunteers and learners and will require all credentialed physicians to complete this training as part of the annual reappointment process.
strengthened the privacy warning on its electronic system, which warns users that unauthorized use of personal health information may result in disciplinary action.

Privacy Breach Physician Sanctions

The hospital’s Medical Advisory Committee recommended to the Board of Directors that the physician’s privileges be suspended for three months, that the hospital conduct enhanced monitoring of the physician’s access to the electronic medical record for three years, and that, on his return to practice, the physician be required to present at Grand Rounds on the topic of privacy.

The IPC concluded that the disciplinary consequences for the physician were sufficient in the circumstances.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Privacy awareness education is more than just having policies and procedures. Demonstrating good practices, regular discussion about examples, and even gamification helps to ensure that all members of your healthcare team understand their roles and responsibilities.

If you need to start or update your privacy awareness training program, check out the on-line education Privacy Awareness in Healthcare: Essentials.

If you need to start or update your privacy breach management program, check out the 4 Step Response Plan; Prevent Privacy Breach Plan.

When we know better, we can do better…

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE Training Video "Can You Spot the Privacy Breach?"

References and Resources

Dewhirst, Kate. After Death: Who Can Access The Records Of A Patient After Death? May 7, 2019. https://katedewhirst.com/blog/2019/05/07/after-death-who-can-access-the-records-of-a-patient-after-death/

Ontario Information and Privacy Commissioner IPC Investigation Report PHIPA DECISION 74 HC15-4 Sault Area Hospital August 10, 2018.

#PrivacyBreachNugget, 4 Step Response Plan, clinic, complaint investigation, death, deceased, healthcare, IPC, medical, Ontario, PHIPA, privacy, privacy after death, privacy awareness training, privacy breach, privacy breach nugget, privacy principles

Meeting Leadership Podcast – Why Leaders Should Understand Privacy

Posted on July 26, 2019 by Jean Eaton in Blog

I'm tickled pink to be a guest on the 5 minute podcast with Gord Sheppard!

Meeting Leadership Podcast – Learn How To Become An Outstanding Leader Who Runs Highly Effective Meetings

On the podcast, we talked about Why Leaders Should Understand Privacy.

Here’s a summary of our discussion.

Privacy is Good For Business!

Privacy applies to every leader in every business. We each have personal information in our businesses. It might be information about our employees, our volunteers, or our directors. It might be information about clients and customers, our business partners, and our business suppliers. We each have sensitive information about our business.

When leaders understand privacy, you have privacy practices in place including good written policies and procedures about how you will collect, use, and disclose personal information you will be able to make sure that you are meeting regulatory compliance. Written policies and procedures makes it easy to consistently onboard employees and volunteers in a consistent way to confidently and properly manage personal information in your business.

Avoid Fines, Penalties, Charges, Time-Sucking Notification Process and Even Jail!

When you have written policies and procedures in place and you provide privacy awareness training to your staff, you can avoid fines, penalties, charges, and time sucking notification process and even jail time!

We've seen recently in the Desjardins data breach in July 2019 where an employee–somebody that was trusted within that organization—who had access to client banking and financial information improperly used that information for their financial gain. This included access to client’s name, address, date of birth, and the social insurance number and other really sensitive financial information. Apparently, because this employee wasn't happy with where they worked, they shared sensitive personal information inappropriately. This breach has affected tens of thousands of clients and individuals in Canada and it's being talked about in emergency session of parliament.

This is an absolute financial disaster for any large business because you know immediately just the marketing goodwill impact alone it takes what a million years to build up your business in an hour to tear it down in this kind of thing.

But maybe it's even more important for the smaller business. That one privacy breach is going to have a huge impact the amount of time and reputation of your business. If you also receive a fine of, say, $200,000, well I don't know many small businesses that can absorb that in a business financial cycle.

When You Understand Privacy, You Make Better Business Decisions!

I've put together a checklist for you about the 10 key steps to prevent a privacy breach.

Download the checklist and make sure that you implement these best practices in your business.

Meeting Leadership Podcast

Learn How To Become An Outstanding Leader Who Runs Highly Effective Meetings – Daily Episodes – in just 5 minutes!

Check out the Meeting Leadership Podcast here!

Desjardins, leaders, Meeting Leadership Podcast, privacy breach, privacy management

Safeguards: The What, Why, and How

Posted on July 14, 2019 by Meghan Davenport in Blog

Guest Blog Post by Tamara Beitel

Health Information Management Student, Centre for Distance Education, May 2015

Picture this, the reception room of the clinic was clean and organized, the patients were happy as they were quickly seen by an efficient, positive and qualified healthcare team. This is what happens when the clinic has taken the time to design their safeguards.

What are safeguards? Why are they important to you? How do you implement these safeguards into your clinic/office?

These are important questions to consider when thinking about safeguards. Implementing safeguards will make your clients/patients feel more confident that their personal information is safe. They will be more willing to share their information.

Why should you safeguard health information?

It is important to safeguard health information to protect your business, your reputation, and helps employees understand privacy, security and confidentiality. When your clients/patients see that you are actively making sure that their personal information is safe, they feel more confident in sharing that information knowing it will be protected.

What are safeguards?

There are three types of safeguards to use in maintaining the privacy and confidentiality of health information in your clinic.

Administrative safeguards are the policies and procedures and other written documents. Policies and procedures direct staff to properly access patient information, privacy training for staff, monitoring the policies and procedures, dealing with receiving and responding to privacy complaints and inquiries, and dealing with transferring, retaining and destroying personal information contained on electronic devices.

There is privacy breach management to help prevent or in case of a breach what the procedure is in dealing with the breach. In the blog, When is a privacy breach a privacy breach?, it discusses the repercussions of not implementing breach policies and also discusses the legislation that is in place to safeguard personal information from breaches. It is important to acknowledge when a breach has occurred, that you have taken the proper steps to address the breach, and have learned from the breach so as not to repeat the same mistakes.

Examples of Policies and Procedures:

Signed oaths of confidentiality for all affiliates
Screens should be private and not viewable from public areas
Prohibit disclosure of patient diagnostic, treatment and care information over the phone, even to an individual who claims to be the patient

Technical Safeguards are controls that protect and control access to personally identifiable and health information. Technical safeguards include electronic devices, surveillance cameras, security systems, and telephone systems. Let’s focus on electronic health information and computer networks for example.

Audits of the security and computer systems are vital to maintain privacy and security of personal information. Through audits you can enforce compliance of the policies and procedures and see where changes, if any, are needed. It helps the staff to be aware of the importance in protecting the client/patient personal information. They see that there are consequences for not following policies and procedures.

You should also be aware of the risks from external threats. These include:

identity theft
loss of information
information shared with unauthorized individuals
Some examples of external threats are: malware (malicious software, designed to infiltrate or damage a computer system), spyware (a type of malware that collects information, such as key loggers), and irresponsible use of the Internet

Mitigation strategies include:

regular training and refreshers on privacy and security
IT professionals reassess any software/hardware additions/changes

Examples of technical safeguards in electronic medical records (EMRs) are:

Strong passwords
Encryption of data
Using role-based access to limit access to health information to a need to know basis (user-based access rights ((secure)), role-based rights ((more secure)) and context-based rights ((most secure))

Physical Safeguards are the physical measures used to protect electronic health information from unauthorized access. This includes precautions to prevent break-ins, theft of computers and files, unauthorized access to personal information, applying physical barriers and control procedures against threats to personal information, and policies and procedures on locking up at night, computer etiquette, and office set up (how and where computers, fax machines etc. are set up).

Examples of physical safeguards are:

Limiting access to the building, clinic and storage areas
Alarms and security cameras, doors and locks, lighting
Placing fax machines and printers out of sight and reach of public areas

Safeguards Next Steps

All three of the safeguards should be used in conjunction with each other. The use of these safeguards will help protect your client/patient information from breach, identity theft, loss and unauthorized access. You have the power to make the clinic/office safe from threats to security, privacy and confidentiality. Your clients/patients will know that you have taken all reasonable steps to ensure that their personal information has been protected and appreciate it. It is beneficial to your clinic to review all of your safeguard measures with staff and have regular audits, reviews, updates to the policies and procedures, systems, and security of the clinic. There are many self-assessment tools available from the Privacy Commissioners in the provinces and from the federal government. See the resources below.

About the author: Tamara Beitel has successfully completed the Health Information Management Diploma at Centre for Distance Education, she is currently preparing to challenge the National Certification Exam in July 2015. Tamara is looking forward to work as a Certified Health Information Management (CHIM) professional in the area of policy and privacy protection in the Calgary area.

Resources

Privacy Awareness Training– Corridor Interactive – Privacy Awareness in Healthcare: Essentials

Jean Eaton, When is privacy breach a privacy breach? https://informationmanagers.ca/privacy-breach-privacy-breach/

Office of the Information and Privacy Commissioner of Alberta

Office of the Privacy Commissioner of Canada

best practice, clinic management, good security practices, privacy, privacy breach, Safeguards, security

When is a Privacy Breach a Privacy Breach?

Posted on July 13, 2019 by Jean Eaton in Blog

The biggest mistake in managing a privacy breach is not recognizing the privacy breach.

The second biggest mistake is not knowing what to do about it.

The recent publicity about the privacy breach in Alberta when a laptop with health information was stolen and came to the public's attention several months later is not the first news item of its kind. In fact, this happens frequently in healthcare, retail, government departments and other industries. This doesn't make it any easier to swallow and certainly doesn't make it right. But this is an opportunity for you, healthcare provider or practice manager, and vendor to make sure that you have good practices in place to manage your next privacy breach.

Health information is recognized as being particularly sensitive and important to the person that the information is about. It is so important, in fact, that a new breed of legislation was developed to set out specific rules to ensure that the health information has robust safeguards (administrative, technical, and physical) to keep the health information confidential and secure. In Alberta, the Health Information Act (HIA) was proclaimed in 2001 to help custodians (people or organizations who collect, use, and disclose health information) ensure that they have identified the risks to breach of health information and how to prevent those risks. The legislation also ensures that the people who the health information is about have access to their personal health information.

In August 2018, amendments to the HIA were proclaimed that make it mandatory to report a privacy breach that could result in harm to the Office of the Information and Privacy Commissioner (OIPC).

Privacy breaches come in all types and sizes. One of the most common forms of a privacy breach is when a clinic or healthcare provider intends to send a report to another healthcare provider for continuing care and treatment but it is sent to the wrong physician. Or, the referral request went to the correct physician but included extra information about another patient that was not part of the referral.

What Is Considered a Privacy Breach?

A privacy breach is an unauthorized access to or unauthorized collection, use, disclosure , loss, or disposal of personal or health information.

To each of us, our own personal health information is important. As a healthcare industry, we need to ensure that we recognize this and acknowledge that each privacy breach is important to the person the information is about. We need to make sure that we minimize the risk of the information being used inappropriately or maliciously. We need to acknowledge to ourselves and to our patients and clients that we are human and that sometimes we do make mistakes and we will strive to do better.

A ‘small' breach of one person one time might have a big impact to the individuals involved.

A ‘big' breach of a lost laptop might have a bigger magnitude affecting many individuals.

When a breach also meets the requirements of mandatory notification, a custodian must report the breach regardless of how many people's information have been included in the breach.

4 Step Response Plan

When you have a privacy breach, follow these four steps to manage the privacy breach incident.

Step 1 – Spot and Stop the Breach

Each breach is important and needs to be recognized. Contain the breach so that it doesn't get any bigger.

Step 2 – Evaluate the Risks

Your privacy officer will investigate the incident and learn about the size, scope, and details about the breach. Consider if there is a reasonable basis to believe that there is a risk of harm to an individual

Step 3 – Notify

Notify the custodian, the affected individuals and (now, with the 2018 amendments), the Alberta OIPC, Minister of Health, Alberta Health (if the breach includes Netcare) and others.

The individual who's information has been breached needs to be made aware of the problem and the risk that might be experienced so that they can be prepare to limit the risks. The custodian needs to know how to manage the privacy breach and report it – internally and perhaps to other stakeholders.

Step 4 – Prevent the Breach From Happening Again

Correct and monitor the incident(s). Actively take steps so that the breach does not happen again.

Not Sure What To Do?

You never know when a privacy breach will happen! Prepare now with a privacy breach management program and coaching from the Practical Privacy Coach!

Learn what to do if you have a privacy breach.

4 Step Response Plan, Alberta, breach, Health Information Act, HIA, OIPC, privacy, privacy breach, training

Tax Season and Fraud Prevention Patient Access to Information

Posted on April 2, 2019 by Jean Eaton in Blog

Ever thought that someone might want to submit your tax returns for you?

No problem.

They will even collect your refund – their payday when they scam your personal identity.

Michael Kaiser Blog, Executive Director of Stay Safe Online, notes on his blog that tax cyber crimes are on the rise. The Tax ID thieves usually file returns early using the taxpayers' stolen personal information so that they can cash the refunds before the taxpayer can file their legitimate tax return.

Help Your Patients to Understand How to Safely Access Their Information

When patients or clients ask you for their account statement information, take the time to ask them for photo ID and a proper authorization to disclose their personal information.

Help them to understand that you can release their own information to the patient or to another person (a spouse, for example) only with the patient's written authorization. Even ‘just' health care billing information is important.

Show your patients that you care about the safety of their information by taking steps to make sure we are protecting their patient and client information.

This Practice Management Success Tip includes

Tips to help you implement this procedure
Template authorization form
Poster to quickly explain to your patients how your procedure helps to protect their privacy

Yes I Want the Poster and Procedure Template! authorization, disclosure, patient access to information, Phishing email, privacy breach, tax cyber fraud, tax fraud

Fax Received in Error – Is this a Notifiable Privacy Breach?|

Posted on March 28, 2019 by Jean Eaton in Blog

Has this ever happened to you?

You are a clinic manager in a healthcare practice. One day, you receive a phone from a healthcare provider in another clinic.

They have received a fax with patients’ health information from someone in your clinic. But the fax is not addressed to them – they received it in error.

Is this a mandatory notifiable privacy breach under Alberta’s new Health Information Act (HIA) regulations?

Part A: Circumstances Where Notification Is Required

There are 5 triggers under the Alberta Health Information Act (HIA) that require mandatory privacy breach notification to the Office of the Information and Privacy Commissioner (OIPC) and the Alberta Minister of Health and the individual(s) affected in the breach.

In this scenario, the receiving custodian accessed health information for an individual who was not his patient. Clearly, there is a reasonable basis to believe that the information has been accessed (read) by a person (section 8.1(1)(a) of the Health Information Regulation.)

However, the sending custodian had no reason to believe that the information would be misused.

Fax Sending Receiving Error

Part B: Circumstances Where Notification Is Not Required

The sending custodian assessed the circumstances of the breach and concluded (as per section 8.1(1)(i) of the Health Information Regulation) that the receiving custodian:

Accessed the health information in a manner consistent with his role as a health services provider and did not do it for an improper purpose.
Is subject to confidentiality policies and procedures that meet the requirements of section 60 of the Act.
Did not use or disclose the information beyond determining that he received it in error.

The sending custodian assessed that the risk is appropriately mitigated and this privacy breach incident did not trigger mandatory notification requirements.

Next Steps

The sending custodian must record the privacy breach in their business records. (I suggest that you use an internal privacy breach reporting form and spreadsheet. You can access these templates in the 4 Step Response Plan.) Remember to include your determination that you do not need to report this breach and the reasons that support your decision.

We know that faxes are a frequent source of privacy breach incidents. What can you do in your practice to reduce the risk of faxes in error?

Practice Management Nuggets Podcast

This topic is included in our Practice Management Nuggets podcast! Be sure to tune in to the podcast episode Fax Received in Error – Is this a Notifiable Privacy Breach? | Episode #067 .

Listen to the Podcast

My Favorite Takeaways From the Podcast

Understand the mandatory privacy breach notification triggers and the circumstances where notification is not required.
Record your privacy breaches – even the ones that do not trigger mandatory privacy breach notification.
Review and improve your fax procedures. We know that this continues to be a frequent source of breaches. What can you do to better manage this known risk?

If you are a member of Practice Management Success, login here and view the webinar replay.

#PracticeManagementNuggets, clinic, fax, healthfare, mandatory privacy breach notification, medical, podcast, privacy breach

Curiosity Is NOT Need-To-Know

Posted on February 18, 2019 by Jean Eaton in Blog

I am often asked if it is ‘OK’ to look up patients information on Netcare when the patient hasn’t been seen for some time and the care provider wants to know how they are doing.

Let me be clear: If you are not currently providing a health service to the patient in a current episode of care, you must not look up that patient’s information on Netcare or any other EMR or paper system.

The patient has a right to privacy – which means don’t look unless you have a need to know.

Curiosity is not a legitimate need to know. That is snooping!

You Can Use This Privacy Breach Example to Review and Improve Your Practices

Pro-active Auditing Reveals Snooping in Sask eHealth

What Happened

On April 6, 2018, a highway collision occurred involving the hockey team Humboldt Broncos which left 16 dead and 13 injured.

The trustee of the Saskatchewan Electronic Health Record Viewer, eHealth, pro-actively audited their electronic health record system to identify potential unauthorized use of the system by authorized users.

eHealth detected that two physicians and an administrator at the Humboldt Clinic Limited inappropriately accessed the personal health information of two individuals involved in a collision involving the Humboldt Broncos.

The auditing revealed that there were many instances where access was made between April 7 and April 10 to the records of two patients. The records belonged to two individuals who died in the crash on April 6.

The physicians had provided care to the individuals in January of 2018 but were not involved in providing care to them on or about April 6. The physicians’ access was prompted because of their ‘concern’ for the individuals.

[click_to_tweet tweet=”Curiosity is NOT need-to-know! The patient has a right to privacy – which means don’t look unless you have a need to know to provide a current health service to the patient. @InfomanLtd #PrivacyBreach #Privacy #PrivacyBreachNugget” quote=”Curiosity is NOT need-to-know! “]

Clearly, these users of the Viewer were not currently providing care and treatment to the patients.

The access of the Viewer in this example not a legitimate need-to-know under Saskatchewan’s The Health Information Protection Act (HIPA).

eHealth reported these privacy breaches to the Information and Privacy Commissioner (IPC) of Saskatchewan.

4 Step Response Plan

The trustee, eHealth, undertook the first step to respond to a privacy breach by spotting and stopping the breach. The audit identified the breach. Then eHealth contained the breach by suspending or terminating access to the Viewer.

Secondly, eHealth appropriately notified the individuals’ next of kin of the privacy breach.

The third step is to investigate the breach. eHealth notified the IPC of the breach. The clinic, however, did not investigate the cause of the privacy beach.

Preventing a similar breach is the fourth step. The clinic has privacy policies and a privacy training strategy. The eHealth Viewer also has online training for its users.

IPC Recommendations

Subsequent to its investigation, the Saskatchewan IPC observed that the training had not prevented this breach.

The IPA recommended that the clinic provide further training to its employees and contractors on the need-to-know principle. Additionally, the clinic is recommended to document the privacy breaches and the lessons learned to prevent a similar privacy breach.

Reference: Saskatchewan IPC Investigation Report 177-2018, January 29, 2019

Privacy Breach Nuggets You Need to Know

There are many privacy breaches in the news each day. The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain.

Privacy education is more than just having policies and procedures. Demonstrating good practices, regular discussion about examples, and even gamification helps to ensure that all members of your healthcare team understand their roles and responsibilities.

If you need to start or update your privacy breach management program, check out the 4 Step Response Plan; Prevent Privacy Breach Pain.

“When we know better, we can do better”

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

#digitalhealth, clinic, healthcare, HIPA, Humboldt, medical, privacy breach, privacy breach nugget

How Will Mandatory Privacy Breach Reporting Affect You?

Posted on July 24, 2018 by Jean Eaton in Blog, PMN Upcoming

Mandatory Privacy Breach Reporting is Coming to Alberta!

Do you know how this will affect your healthcare practice?

. . then this free webinar is for you!

If you are a custodian–including physicians, optometrists, pharmacists, dentists, dental hygienists, chiropractors, nurse practitioners, podiatrists, midwives, optometrists, opticians, and more!–as defined by Alberta's Health Information Act, then . . then this free webinar is for you!

You need to know how mandatory privacy breach reporting will affect you!

In this Free Webinar, Jean L. Eaton, Your Practical Privacy Coach will explain

what is a privacy breach
why a privacy breach is a significant problem
why have mandatory privacy breach reporting
offence and penalty provisions of the HIA
privacy breach notification requirements
what you need to do before August 31, 2018

Join us for this Free webinar

Recorded LIVE Thursday July 26, 2018

Register NOW to get immediate access to the replay and valuable resources to help you prevent privacy breach pain!

. . . available for a limited time!

Register for the FREE Live Webinar Replay!

Check your email for the link to the webinar!

You will also benefit from receiving notices about upcoming events on Privacy Nuggets and similar announcements.

We don't sell or share your personal information. Ever.

Jean L Eaton, Your Practical Privacy Coach with Information Managers Ltd.

“When we know better, we can we do better.”

As an employer and health care provider, you are responsible to provide training to all of your employees about privacy awareness. Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information.

I am constructively obsessive about privacy and confidentiality in the healthcare sector–and I think you should be, too!

I help primary care practice managers and health care providers properly manage the risk of a privacy breach, stay out of jail, avoid fines AND keep an efficient practice!

Jean L. Eaton, Your Practical Privacy Coach Information Managers Ltd.

#PracticeManagementNuggets, amendment, health care, healthcare, mandatory privacy breach reporting, medical, privacy breach, privacy breach notification, Privacy Impact Assessment

1 2 3 4