Tax Season and Fraud Prevention Patient Access to Information

Posted on April 2, 2019 by Jean Eaton in Blog

Ever thought that someone might want to submit your tax returns for you?

No problem.

They will even collect your refund – their payday when they scam your personal identity.

Michael Kaiser Blog, Executive Director of Stay Safe Online, notes on his blog that tax cyber crimes are on the rise. The Tax ID thieves usually file returns early using the taxpayers' stolen personal information so that they can cash the refunds before the taxpayer can file their legitimate tax return.

Help Your Patients to Understand How to Safely Access Their Information

When patients or clients ask you for their account statement information, take the time to ask them for photo ID and a proper authorization to disclose their personal information.

Help them to understand that you can release their own information to the patient or to another person (a spouse, for example) only with the patient's written authorization. Even ‘just' health care billing information is important.

Show your patients that you care about the safety of their information by taking steps to make sure we are protecting their patient and client information.

This Practice Management Success Tip includes

Tips to help you implement this procedure
Template authorization form
Poster to quickly explain to your patients how your procedure helps to protect their privacy

Yes I Want the Poster and Procedure Template! authorization, disclosure, patient access to information, Phishing email, privacy breach, tax cyber fraud, tax fraud

Fax Received in Error – Is this a Notifiable Privacy Breach?|

Posted on March 28, 2019 by Jean Eaton in Blog

Has this ever happened to you?

You are a clinic manager in a healthcare practice. One day, you receive a phone from a healthcare provider in another clinic.

They have received a fax with patients’ health information from someone in your clinic. But the fax is not addressed to them – they received it in error.

Is this a mandatory notifiable privacy breach under Alberta’s new Health Information Act (HIA) regulations?

Part A: Circumstances Where Notification Is Required

There are 5 triggers under the Alberta Health Information Act (HIA) that require mandatory privacy breach notification to the Office of the Information and Privacy Commissioner (OIPC) and the Alberta Minister of Health and the individual(s) affected in the breach.

In this scenario, the receiving custodian accessed health information for an individual who was not his patient. Clearly, there is a reasonable basis to believe that the information has been accessed (read) by a person (section 8.1(1)(a) of the Health Information Regulation.)

However, the sending custodian had no reason to believe that the information would be misused.

Fax Sending Receiving Error

Part B: Circumstances Where Notification Is Not Required

The sending custodian assessed the circumstances of the breach and concluded (as per section 8.1(1)(i) of the Health Information Regulation) that the receiving custodian:

Accessed the health information in a manner consistent with his role as a health services provider and did not do it for an improper purpose.
Is subject to confidentiality policies and procedures that meet the requirements of section 60 of the Act.
Did not use or disclose the information beyond determining that he received it in error.

The sending custodian assessed that the risk is appropriately mitigated and this privacy breach incident did not trigger mandatory notification requirements.

Next Steps

The sending custodian must record the privacy breach in their business records. (I suggest that you use an internal privacy breach reporting form and spreadsheet. You can access these templates in the 4 Step Response Plan.) Remember to include your determination that you do not need to report this breach and the reasons that support your decision.

We know that faxes are a frequent source of privacy breach incidents. What can you do in your practice to reduce the risk of faxes in error?

Practice Management Nuggets Podcast

This topic is included in our Practice Management Nuggets podcast! Be sure to tune in to the podcast episode Fax Received in Error – Is this a Notifiable Privacy Breach? | Episode #067 .

Listen to the Podcast

My Favorite Takeaways From the Podcast

Understand the mandatory privacy breach notification triggers and the circumstances where notification is not required.
Record your privacy breaches – even the ones that do not trigger mandatory privacy breach notification.
Review and improve your fax procedures. We know that this continues to be a frequent source of breaches. What can you do to better manage this known risk?

If you are a member of Practice Management Success, login here and view the webinar replay.

#PracticeManagementNuggets, clinic, fax, healthfare, mandatory privacy breach notification, medical, podcast, privacy breach

Curiosity Is NOT Need-To-Know

Posted on February 18, 2019 by Jean Eaton in Blog

I am often asked if it is ‘OK’ to look up patients information on Netcare when the patient hasn’t been seen for some time and the care provider wants to know how they are doing.

Let me be clear: If you are not currently providing a health service to the patient in a current episode of care, you must not look up that patient’s information on Netcare or any other EMR or paper system.

The patient has a right to privacy – which means don’t look unless you have a need to know.

Curiosity is not a legitimate need to know. That is snooping!

You Can Use This Privacy Breach Example to Review and Improve Your Practices

Pro-active Auditing Reveals Snooping in Sask eHealth

What Happened

On April 6, 2018, a highway collision occurred involving the hockey team Humboldt Broncos which left 16 dead and 13 injured.

The trustee of the Saskatchewan Electronic Health Record Viewer, eHealth, pro-actively audited their electronic health record system to identify potential unauthorized use of the system by authorized users.

eHealth detected that two physicians and an administrator at the Humboldt Clinic Limited inappropriately accessed the personal health information of two individuals involved in a collision involving the Humboldt Broncos.

The auditing revealed that there were many instances where access was made between April 7 and April 10 to the records of two patients. The records belonged to two individuals who died in the crash on April 6.

The physicians had provided care to the individuals in January of 2018 but were not involved in providing care to them on or about April 6. The physicians’ access was prompted because of their ‘concern’ for the individuals.

[click_to_tweet tweet=”Curiosity is NOT need-to-know! The patient has a right to privacy – which means don’t look unless you have a need to know to provide a current health service to the patient. @InfomanLtd #PrivacyBreach #Privacy #PrivacyBreachNugget” quote=”Curiosity is NOT need-to-know! “]

Clearly, these users of the Viewer were not currently providing care and treatment to the patients.

The access of the Viewer in this example not a legitimate need-to-know under Saskatchewan’s The Health Information Protection Act (HIPA).

eHealth reported these privacy breaches to the Information and Privacy Commissioner (IPC) of Saskatchewan.

4 Step Response Plan

The trustee, eHealth, undertook the first step to respond to a privacy breach by spotting and stopping the breach. The audit identified the breach. Then eHealth contained the breach by suspending or terminating access to the Viewer.

Secondly, eHealth appropriately notified the individuals’ next of kin of the privacy breach.

The third step is to investigate the breach. eHealth notified the IPC of the breach. The clinic, however, did not investigate the cause of the privacy beach.

Preventing a similar breach is the fourth step. The clinic has privacy policies and a privacy training strategy. The eHealth Viewer also has online training for its users.

IPC Recommendations

Subsequent to its investigation, the Saskatchewan IPC observed that the training had not prevented this breach.

The IPA recommended that the clinic provide further training to its employees and contractors on the need-to-know principle. Additionally, the clinic is recommended to document the privacy breaches and the lessons learned to prevent a similar privacy breach.

Reference: Saskatchewan IPC Investigation Report 177-2018, January 29, 2019

Privacy Breach Nuggets You Need to Know

There are many privacy breaches in the news each day. The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain.

Privacy education is more than just having policies and procedures. Demonstrating good practices, regular discussion about examples, and even gamification helps to ensure that all members of your healthcare team understand their roles and responsibilities.

If you need to start or update your privacy breach management program, check out the 4 Step Response Plan; Prevent Privacy Breach Pain.

“When we know better, we can do better”

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

#digitalhealth, clinic, healthcare, HIPA, Humboldt, medical, privacy breach, privacy breach nugget

How Will Mandatory Privacy Breach Reporting Affect You?

Posted on July 24, 2018 by Jean Eaton in Blog, PMN Upcoming

Mandatory Privacy Breach Reporting is Coming to Alberta!

Do you know how this will affect your healthcare practice?

. . then this free webinar is for you!

If you are a custodian–including physicians, optometrists, pharmacists, dentists, dental hygienists, chiropractors, nurse practitioners, podiatrists, midwives, optometrists, opticians, and more!–as defined by Alberta's Health Information Act, then . . then this free webinar is for you!

You need to know how mandatory privacy breach reporting will affect you!

In this Free Webinar, Jean L. Eaton, Your Practical Privacy Coach will explain

what is a privacy breach
why a privacy breach is a significant problem
why have mandatory privacy breach reporting
offence and penalty provisions of the HIA
privacy breach notification requirements
what you need to do before August 31, 2018

Join us for this Free webinar

Recorded LIVE Thursday July 26, 2018

Register NOW to get immediate access to the replay and valuable resources to help you prevent privacy breach pain!

. . . available for a limited time!

Register for the FREE Live Webinar Replay!

Check your email for the link to the webinar!

You will also benefit from receiving notices about upcoming events on Privacy Nuggets and similar announcements.

We don't sell or share your personal information. Ever.

Jean L Eaton, Your Practical Privacy Coach with Information Managers Ltd.

“When we know better, we can we do better.”

As an employer and health care provider, you are responsible to provide training to all of your employees about privacy awareness. Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information.

I am constructively obsessive about privacy and confidentiality in the healthcare sector–and I think you should be, too!

I help primary care practice managers and health care providers properly manage the risk of a privacy breach, stay out of jail, avoid fines AND keep an efficient practice!

Jean L. Eaton, Your Practical Privacy Coach Information Managers Ltd.

#PracticeManagementNuggets, amendment, health care, healthcare, mandatory privacy breach reporting, medical, privacy breach, privacy breach notification, Privacy Impact Assessment

How NOT to Respond to a Privacy Complaint!

Posted on January 18, 2018 by Jean Eaton in Blog

Do your staff know how to respond to a privacy complaint? Do your staff, volunteers, or directors login to a server to access documents remotely? Have you done a security assessment to ensure that the access is secure? Do they know how to manage confidential documents once they have downloaded them?

You Can Use This Privacy Breach Example to Review and Improve Your Practices

Do you store confidential documents on your website? After all, a website is a type of a file server accessible from an internet connection that is often hosted by a third party. There is often a public access and a members-only side for authorized users to login and view and download documents.

Maybe you intended only authorized users to access the file – but are you sure that it is secure? Here's what can happen if your confidential documents can be found by the public!

In 2016, personal information of the 285 clients was compiled into an electronic file, prepared for the service’s board of directors on new cases arising between April and November of 2015, but was not properly secured on the agency’s website. The files were subsequently viewed by the public.

What happened

An alleged privacy breach at Family and Children’s Services of Lanark, Leeds and Grenville (FCSLLG) of Brockville, Ontario in 2016 has led to the agency being sued for negligence, invasion of privacy and a breach of the Canadian Charter of Rights and Freedoms.

The personal information of the 285 clients was compiled into an electronic file, and prepared for the service’s board of directors to review in the course of their business.

The list was publicly available to anyone, who knew the correct URL website address.

Someone accidently ‘found’ the website address and saw the confidential information. She notified the FCSLLG and warned them that the information was available to the public. When she did not receive a response from FCSLLG that acknowledged her concern and correct the problem, she posted the information on Facebook.

[clickToTweet tweet=”If you ignore a #PrivacyBreach, this could happen to you!” quote=”If you ignore a privacy complaint, this could happen to you!”]

The lawsuit seeks $25 million in general damages, $25 million in special damages and $25 million in punitive, aggravated and exemplary damages.

The lawsuit alleges that the FCSLLG website was completely unsecured between February and April 2016, with the full knowledge of FCSLLG.

Privacy Nuggets You Need to Know

We can only wonder about the outcome of the breach if the staff at the agency had promptly responded to the privacy breach complaint. It is possible that if the agency had secured the information immediately and limited any further disclosure that the law suit might had been avoided.

Know how to properly respond to a privacy and security complaint or privacy breach. Create or review your written procedures now!
Identify and train a privacy officer in your business.

This unfortunate breach is a good reminder for all businesses to follow-up with your information technology and website host support to ensure that your server has been properly secured and training provided to staff to properly upload files to the secure server. In addition:

Consider hiring a managed service provider to ensure secure access only to authorized users. If you allow remote access to confidential information, you can’t afford not to have experts to help you!
Know how to secure documents on your file server.
Make sure that your authorized users know how to securely manage the documents after they have downloaded them from your secure file server.

There are many privacy breaches in the news each day. The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain.

When we know better, we can do better

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

Ready for help now? Register for the FREE training video “Can You Spot the Privacy Breach?”

FREE 15-minute Privacy Breach Awareness On-line Training.

Along with your registration, you will also benefit from the occasional Privacy Nugget tips by email of similar privacy resources and articles that you can use right away!
Read More

healthcare, medical, privacy breach, privacy breach nugget, privacy complaint, privacy nuggets

Privacy Awareness in Healthcare: Essentials

Posted on May 15, 2017 by Jean Eaton in Blog, Services, Training

Privacy Awareness Training

As an employer and health care provider, you are responsible to provide training to all of your employees about privacy awareness. If you don’t provide the training, if the employees don’t understand the policies and there is a privacy breach, then the healthcare provider is more likely to be held accountable under the legislation and face penalties including fines and even prison!

Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information. Healthcare businesses who want employee and supervisor level privacy awareness training to support key policies, procedures and risk management programs need a privacy awareness training program.

“Privacy Awareness in Healthcare: Essentials” training is a 2 part, on-line training program for healthcare providers, support team, and vendors to confidently and correctly handle personal health information and to recognize and report a privacy breach.

If You

work in healthcare or social services
are a member of a health profession or work with healthcare professionals
are a business vendor, contractor, or provide services with a healthcare or social services organization

You Need Privacy Awareness in Healthcare: Essentials

You will

Understand patient and client privacy rights.
Respect personal health information and your obligations.
Confidently and correctly handle personal health information.
Use reasonable safeguards to protect personal health information (PHI).
Recognize and respond to a privacy breach
Support key policies, procedures and risk management programs in your healthcare practice.

Interactive Online Learning Experience provided by Corridor Interactive

Corridor Interactive’s Buy Now Training Programs give you access to the most current information available, at your convenience. Complete your course all at once, or in multiple sessions from any location – it’s up to you. All you need is an internet connection and an email address to get started…it’s that easy!

Fits into your schedule – you can start, pause at anytime, and return to the course exactly where you left off.
Easy to use – navigation buttons makes it easy to continue to the next topic or pick and choose the order that you want to see the content.
Get started immediately – the entire course is ready for you!
Work at your own pace – you have access to the course for three (3) months. Most students complete the course in under 2 hours.
You can listen to the narration for each module.
Practical examples, too, to make it easier for you to apply what you have learned in the course to your job.
Links to extra resource material and websites related to your topic of study, to peruse at your convenience.
A printable Certificate of Completion, available as soon as you successfully complete your course.
An audit trail and record of your course activity and training history.
Self-directed learning features including the ability to pause your course at any time and resume later, right from where you left off.
Unlimited access to your course and resources for the duration of your subscription term.
Technical support with a one-business day turnaround for end-user support help and questions.
Automatic emails when you complete your course, or reminders if you have not completed.
This course is pre-approved by the International Association of Privacy Professionals (IAPP) for 2.5 Group A Continuing Professional Education (CPE) credits for CIPP/C, CIPM, and CIPT-certified individuals.

Developed by Corridor’s team of seasoned software specialists and instructional designers, this unique online learning application is the optimum vehicle for delivering learning content.

NEW! Ontario PHIPA Version Available Now!

Privacy Awareness Essentials in Healthcare online training series launches with Ontario PHIPA version during #PAW2017 week May 15-21, 2017. In conjunction with Privacy Awareness Week, Information Managers www.InformationManagers.ca and Corridor Interactive www.CorridorInteractive.com have announced the release of the newest addition of the “Privacy Awareness in Healthcare: Essentials” series with a focus on Ontario’s Personal Health Information Protection Act (PHIPA) legislation. The first on-line privacy awareness training in this series released in 2016 focused on Alberta’s Health Information Act. Many other provinces have health information legislation as well, and while some of the key terms differ from province to province, this privacy awareness training is applicable to any organization that collects, uses, and discloses personally identifying information.

When you purchase the course, select the Ontario or the Alberta version of Privacy Awareness Essentials in Healthcare.

Not sure if the Privacy Awareness in Healthcare: Essentials training is right for you?

Watch this Practice Management Nuggets Webinar interview with Heather Mooney for a detailed look at the online course.

This short video from Corridor Interactive will give you a glimpse into the look and feel of the online course experience.

I'm convinced! Sign me up!

$35 per subscription

Register Now

Give your staff the knowledge and tools they need to apply policy in their day-to-day work AND prevent a privacy breach with privacy awareness training.

Privacy Awareness in Healthcare: Essentials

Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information. Learn basic healthcare privacy principles and how to handle personal health information, use safeguards, and recognize and report a privacy breach.

Along with your registration to the course from Corridor Interactive, you will also benefit from the occasional Privacy Nugget tips from Your Practical Privacy Coach by email of similar privacy resources and articles that you can use right away!

I have used Corridor's Privacy Awareness in Healthcare: Essentials online training program. The course has helped satisfy the training requirements of the Health Information Act. Staff go through the course at their own pace while we monitor to ensure completion.

Luke Brimmage

Executive Director, Aspen Primary Care Network

The online Privacy Training from Corridor Interactive helped EFW in providing consistent and comprehensive privacy training to all of our staff. The information in the modules was presented in a way that was relevant and easy to understand and offered the added benefit of being able to be completed by staff in smaller time periods using the automatic bookmarks. One of the best features was the ability to customize the program and add in links and references to specific EFW Radiology processes and policies. This made the training not just another off the shelf product, but something relatable to our organization as a whole.

Helen Lemieux, CHRP

Director of Human Resources, EFW Radiology

Sounds great! Sign me up!

This self-paced on-line education includes:

Welcome

Introduction to the course
Privacy legislation introduction

Part 1

Understanding Privacy
Privacy Principles
Collection, Use and Disclosure
Roles and Responsibilities
Privacy Breaches

Part 2

Right of Access
Safeguards
What is ‘Personal Health Information’?
Handling Personal Health Information
Post Test to confirm that you understand the key concepts

Certificate of Completion

“When we know better, we can we do better.”

As an employer and health care provider, you are responsible to provide training to all of your employees about privacy awareness. Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information.

I am constructively obsessive about privacy and confidentiality in the healthcare sector–and I think you should be, too! I designed this course to assist healthcare providers, clinic managers, practice managers, privacy officers and independent healthcare practice owners provide practical privacy awareness training that was easy to implement, consistent content, cost-effective and meaningful to your day-to-day business.

When each member of your independent healthcare practice completes this privacy awareness course, you will have clearer expectations and confidence that your team will maintain the privacy, confidentiality and security of your patient’s health information. Give your patients the gift of privacy. Improve your healthcare practice with privacy awareness education.

Jean L. Eaton, Your Practical Privacy Coach Information Managers Ltd.

Frequently Asked Questions

How can I access the course?

The course, Privacy Awareness in Healthcare: Essentials, is available on-line from any internet enabled device. You can use your desktop computer, smart phone or tablet to view the slides and even hear the narration.

How long is the course?

Most students complete the course in under 2 hours. You can start and stop the course at any time. Let's say you decide to take 20 minutes each day to work on the course. You can login and start the course right away. When you come back to the course the next day, you can start right from where you left off. You will have all the modules and the post-test done within 6 days. Don't worry about missing a few days – you have access to the course for a full 3-months!

This is my first job in a healthcare practice. Do I know enough to start the course?

You bet! The course is easy to read and I explain all the terms that you need to know. There are a lot of practical examples, too, to make it easier for you to apply what you have learned to your job.

I've worked in healthcare for a long time. Do I still need to take this course?

You bet! Seasoned professionals like yourself have an extra obligation to share your knowledge with new workers. This course will help you to refresh key principles and suggest wording, examples, and key messages that you can use to train new employees to their specific tasks in the workplace. The course will help you to advocate for the privacy rights of your patients. Unfortunately, we have many examples where trained professionals who “should have known better” make errors in judgement causing privacy breaches that affect our patients, our business, and the reputation of healthcare. Healthcare practitioners and owners have a responsibility to ensure that everyone in the practice receive comprehensive privacy awareness training regularly.

Will I get a certificate of completion that I can give my employer?

Yes – at the end of the course, you will have the opportunity to complete a short on-line quiz to confirm that you understand the key concepts. Then you will have access to a Certificate of Completion that you can download and share with whomever you choose.

Can I get continuing education credits with my professional association?

Maybe! This course is pre-approved by the International Association of Privacy Professionals (IAPP) for 2.5 Group A Continuing Professional Education (CPE) credits for CIPP/C, CIPM, and CIPT-certified individuals. If you are a member of another association and you would like to seek credits from for taking this course, please let us know so we can take steps to request pre-approval.

How much is the course?

The course is $25 per person. Click here to buy it right away.

I think everyone in my healthcare practice should take this course! Can I buy in a group package?

Yes – Privacy Awareness in Healthcare: Essentials is available in group packages, or it can be customized to incorporate your organization’s privacy policy and practices. Employers can monitor the employee’s training progress and receive a report of employee’s satisfactory completion of on-line quizzes. Track annual privacy awareness training through our online platform to demonstrate your compliance with legislation. Contact Corridor Interactive for more information.

I agree that privacy awareness training s important - but I don't work in healthcare. Do you have a corporate privacy awareness program?

While these programs have been developed with health care providers in mind, the privacy principles and fundamentals of protecting personal information are appropriate for any organization that collects, uses, and discloses personally identifying information. Contact us for information about our Corporate Privacy Awareness Program!

Interested in Group Training?

Employers can also purchase training for groups of employees; employees can access the internet based training at a time and location convenient to them. Employers can monitor the employee’s training progress and receive a report of employee’s satisfactory completion of on-line quizzes. Track annual privacy awareness training through our online platform to demonstrate your compliance with legislation.

Email Corridor Interactive to Order Group Training

Corridor Interactive, health care, Health Information Act Training, healthcare, healthcare provider, primary healthcare, privacy, privacy awareness, Privacy Awareness in Healthcare: Essentials, privacy breach, training

9,000 Employee Records Lost

Posted on May 1, 2017 by Jean Eaton in Blog

Do you authorize the use of mobile devices in your healthcare practice? Remember to safeguard privacy on mobile devices and prevent a privacy breach.

You Can Use This Privacy Breach Example to Review and Improve Your Practices

USB Flash Drive Missing

In June 2015, Newfoundland’s Eastern Health Authority (EHA) notified approximately 9,000 employees that their personal information contained in their employee records was compromised when a USB flash drive with their data on it had been lost. The Human Resources department had electronically scanned employee files so that hard copies of the files could be stored offsite.

This loss of control over employee records is a violation of Access to Information and Protection of Privacy Act (ATIPPA) and was reported to the Newfoundland and Labrador Office of the Information and Privacy Commissioner (OIPC).

Missing USB Drive NOT Encrypted

When the EHA discovered the USB flash drive missing, they searched the office and hired a third party specializing in this type of search to go over the office area.

The EHA conducted an internal investigation that included determining the type of information lost. They discovered there was personal information on the USB drive including employee names and some employees’ social insurance numbers (SIN).

The next step was to alert the employees affected by the breach.

The EHA first notified employees with the highest risk of significant harm (ROSH) because of the type of information included in the breach (for example, social insurance numbers) by phone. The remaining employees were notified by letter.

The EHA also provided information to the affected individuals on how to protect themselves from identity theft, and they offered to cover the cost of a credit check for any employee wanting one.

What Came From the Breach

The USB flash drive in question was found in August in a file folder.

To prevent a similar incident, the EHA has taken a number of precautionary steps:

EHA plans to upgrade their system, so USB drives are automatically encrypted before being used.
EHA has requested that all non-encrypted USB drives currently in use be returned and securely destroyed.
EHA is no longer using SIN to index and transfer employee files.
EHA also will review and update their policy regarding the issuance, control, and use of mobile devices.

The OIPC determined that the EHA responded adequately to the privacy breach complaint.

Privacy Nuggets That You Need to Know

Step 1 – Spot and Stop – The privacy breach was brought to EHA’s attention by the office that lost the USB flash drive. This is the first step in privacy breach awareness – spot the privacy breach and stop it.

Step 2 – Investigate – EHA identified what information was lost and the individuals affected by the incident.

Step 3 – Notify – EHA subsequently notified the affected individuals directly. The custodian also made the information about the breach public and provided the employees affected with information to protect themselves against any further harm.

Step 4 – Prevent the breach from happening again – EHA took steps to make sure this type of breach doesn’t happen again. Proactive steps—like requesting non-encrypted USB drives currently in use be returned and securely destroyed, and ensuring that only encrypted mobile devices can be used—are reasonable safeguards that all businesses should implement now.

When we know better, we can do better

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

Ready for help now? Register for the FREE training video “Can You Spot the Privacy Breach?”

FREE 15-minute Privacy Breach Awareness On-line Training.

Along with your registration, you will also benefit from the occasional Privacy Nugget tips by email of similar privacy resources and articles that you can use right away!
Read More

ATIPPA, employee records lost, encrypt, flash drive lost, healthcare, medical, mobile devices, privacy breach, privacy nuggets, risk of significant harm (ROSH), USB drive lost

iPhone Stolen with 412 Patient Health Records

Posted on April 17, 2017 by Jean Eaton in Blog

Do you authorize the use of mobile devices in your healthcare practice? Remember to safeguard privacy on mobile devices and prevent a privacy breach.

You Can Use This Privacy Breach Example to Review and Improve Your Practices

A business associate (contractor) of the Catholic Health Care Services (CHCS) of the Archdiocese of Philadelphia had their iPhone stolen. This iPhone contained unprotected and unencrypted Personal Health Information (PHI). The U.S. Department of Health and Human Services Office for Civil Rights (OCR) started their investigation on April 17, 2014, and found that a total of 412 patient health records were compromised.

Protected Health Information at Risk

The data on the iPhone included security data, protected health information, social security numbers, family member contacts, treatment, and medication details.

Before a healthcare provider (also known as the custodian) authorizes the use of mobile devices to manage patient records, they must conduct a specific risk assessment to (1) determine the threats of mobile technology and (2) secure the data. Reasonable safeguards include written policies and procedures that authorize the use of mobile technology and identify the risks, as well as a mitigation strategy (including additional training to the employees using mobile technology) to ensure that they are aware of the added security risk. The incident investigation found that CHCS did not have these reasonable safeguards in place.

[clickToTweet tweet=”Are you using mobile devices in your #healthcare practice? This #PrivacyBreach could happen to you!” quote=”Are you using mobile devices in your healthcare practice? This privacy breach could happen to you!”]

$650,000 Fine

The OCR fined CHCS $650,000 and imposed monitoring of the business associate and CHCS to ensure compliance with HIPAA regulations for the next two years.

Privacy Breaches – What You Need to Know

This use of mobile devices in healthcare is common and breaches are easily preventable. The following information will help you to prevent a privacy breach.

Policies and Procedures. You need a policy that states whether or not you allow employees to use their own mobile devices at work, and if so, for what purpose(s). (This is also known as bring your own device or BYOD.) This includes texting co-workers during work hours or accessing their work email from their smart phone. If you provide mobile devices to your employees so that they can do their jobs remotely (from their home office or when attending clients away from your practice), you must also conduct a specific threat risk assessment to determine the threats of mobile technology, secure the data, and implement reasonable safeguards.

Generally, when a mobile device containing personal identifying information is lost or stolen, the device must have both a strong password protection and encryption to not be considered a breach of personally identifying information.

Training. It is important that you provide specific training to your staff to ensure that they understand the additional specific risk of having personal information on mobile devices. Employees must know their responsibilities to protect the personal information of your patients, clients, and your practice. The custodian should keep record attendance to ensure that training is provided.
If you have contractors, vendors, or business associates who provide services and use mobile devices, you are responsible to ensure that they also have strong policies and training or follow your policies and training. In Alberta, make sure that you have an Information Manager Agreement (required by the Health Information Act (HIA) s.66) with your contractor, vendor, or business associate.

When we know better, we can do better

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton, Your Practical Privacy Coach

Ready for help now? Register for the FREE training video “Can You Spot the Privacy Breach?”

(7 minute video).

New! Privacy Breaches – What You Need to Know

Posted on April 4, 2017 by Jean Eaton in Blog

I have just launched a new series to my Privacy Nuggets newsletters – Privacy Breaches – What You Need to Know.

This newsletter series will be published about every 2 weeks and will look at one privacy breach that has been in the news. I will summarize what happened, what the business did to manage the privacy breach, and specific privacy breach management tips that you can use right away!

You can use the privacy breach example to review and improve your practices.

You will also benefit from other similar privacy resources and articles that you can use right away!

Sign up for Privacy Nuggets here – https://informationmanagers.ca/privacy-nuggets/

PS – If you are already receive Privacy Nuggets you will automatically receive the new Privacy Breaches – What You Need to Know. You don't need to re-subscribe.

healthcare, privacy breach, privacy breaches what you need to know

Privacy Breach Awareness Training

Posted on February 28, 2017 by Jean Eaton in Training

The biggest mistake in managing a privacy breach is not recognizing the privacy breach!

Join the FREE 15-minute Privacy Breach Awareness On-line Training to discover how you can avoid this mistake and what to do instead.

You can start the on-line education right away from your desktop or mobile internet enabled device.

All you need is a headphone or speakers to listen to the video.

Dealing with a privacy breach in your clinic can be stressful and confusing. What should you do? Who should you contact?

80% of all privacy breaches are caused inside the business

Most of these breaches are an ‘oops’ or honest mistakes. Some breaches are malicious or intentional. Sometimes business have security breaches from outside the business that cause privacy breaches.

If you don’t know how to recognize a privacy breach, you will not be able to manage the breach and prevent it from happening again and again.

This FREE 15-minute Privacy Breach Awareness On-line Training will help your employees to spot a Privacy Breach and know what to do next.

Privacy Breach Awareness Training for YOUR Employees

Includes:

Video – “Can You Spot the Privacy Breach?” (7 minutes)
Learning Resources Guide you can download
Post Test and
Certificate of Attendance

Ideal for front line staff, privacy officers, clinic managers, practice managers, healthcare providers, owners.

Learn the 3 common mistakes made when managing a privacy breach.

Learn from someone else’s mistakes!

Practical tips that you can use right away to protect the privacy of your clients and patients!

With Jean L. Eaton, Your Practical Privacy Coach!

It is easy for you to access the on-line Privacy Breach Awareness Training. Just register for the FREE on-line course.

Remember to check your email for the confirmation message and instructions.

Along with your webinar registration, you will also benefit from the occasional Privacy Nugget tips by email of similar privacy resources and articles that you can use right away!

Yes, you can share this!

Can You Spot the Privacy Breach?, privacy breach, privacy breach awareness, training