Privacy Breach – 3 Mistakes in Managing a Privacy Breach

Posted on June 3, 2014 by Meghan Davenport in Blog, Privacy, Confidentiality, and Security Series Webinar

Privacy, Confidentiality, Security for Medical Offices©

Privacy Breach – 3 Mistakes in Managing a Privacy Breach

Privacy is a huge issue for the public right now, and as more businesses, health care practices, and even your grocery store collect more information about you, the risks of having that information stolen, misused, or compromised, are huge.

Having a privacy breach can cost you time, money, and trust of your patients.

Attend this webinar, 3 Mistakes in Managing a Privacy Breach, to help you understand the three common mistakes in managing a privacy breach, and ensure that you and your staff take the right steps to contain, manage, and prevent privacy breaches.

Pssst – if you are a member, click this link for an EXCLUSIVE coupon. Not a member? Become one!

This webinar will teach you:

how to identify a privacy breach
how to notify a privacy breach
how to communicate about a privacy breach

Register for the Webinar!

Privacy Breach – 3 Mistakes in Managing a Privacy Breach

Tuesday July 29th, 2014 12:00pm – 1:00pm MST

Live webinar with Jean Eaton, the Practical Privacy Coach and Practice Management Mentor.

Discussion, resources, and template procedures that you can use right away!

Replay will be available for 1 week. Register today!

The Privacy, Confidentiality and Security Series include topics such as privacy awareness, privacy breaches, and email with patients. Seminars last from an hour to an hour and a half, and cover important information for new patient care providers and support staff, as well as practice managers, healthcare providers, or trusted vendors who support healthcare practices. Privacy, Confidentiality and Security© series is hosted by Jean Eaton (the Practice Management Mentor) of Information Managers Ltd.

practice management, privacy breach, template

2014 Saskatchewan Connections Conference

Posted on April 16, 2014 by Jean Eaton in Blog

Jean will be presenting at the 2014 Saskatchewan Connections Conference on Wednesday June 4, 2014 at the beautiful Delta Regina. Saskatchewan's Access, Privacy, Security & Records Management Forum

1B: Managing a Privacy Breach: 3 Mistakes in Managing a Privacy Breach

Welcome video from Jean

Dealing with a privacy breach in your clinic can be stressful and confusing. What should you do? Who should you contact? In this presentation, learn the 3 common mistakes made when managing a privacy breach. Learn from someone else's mistakes!

In a fun and informative format Jean will present key principles to manage a privacy breach – and 10 key steps to prevent a privacy breach! Discussion will include proactive privacy and privacy by design principles to keep your practice breach free.

Agenda Register at Verney Conferences

Let your colleagues know that you plan to attend this event! Follow Twitter @SK_Connections

Practical Privacy Coach, privacy breach

When is a privacy breach a privacy breach?

Posted on January 27, 2014 by Jean Eaton in Blog

The biggest mistake in managing a privacy breach is not recognizing the privacy breach.

The second biggest mistake is not knowing what to do about it.

The recent publicity about the privacy breach in Alberta when a laptop with health information was stolen and came to the public's attention several months later is not the first news item of its kind. In fact, this happens frequently in healthcare, retail, government departments and other industries. This doesn't make it any easier to swallow and certainly doesn't make it right. But this is an opportunity for you, healthcare provider or practice manager, and vendor to make sure that you have good practices in place to manage your next privacy breach.

Health information is recognized as being particularly sensitive and important to the person that the information is about. It is so important, in fact, that a new breed of legislation was developed to set out specific rules to ensure that the health information has robust safeguards (administrative, technical, and physical) to keep the health information confidential and secure. In Alberta, the Health Information Act (HIA) was proclaimed in 2001 to help custodians (people or organizations who collect, use, and disclose health information) ensure that they have identified the risks to breach of health information and how to prevent those risks. The legislation also ensures that the people who the health information is about have access to their personal health information.

The HIA allows the custodian discretion whether or not to report a privacy breach to the Office of the Information and Privacy Commissioner (OIPC). Why would a custodian not want to report the privacy breach to the OIPC? Privacy breaches come in all types and sizes. One of the most common forms of a privacy breach is when a clinic or healthcare provider intends to send a report to another healthcare provider for continuing care and treatment. For example, a referral request about a patient from one physician to another physician about is sent to the wrong physician. Or, the referral request went to the correct physician but included extra information about another patient that was not part of the referral. This is a privacy breach. If the healthcare provider was required to report each privacy breach to the OIPC, the health care providers and the OIPC would soon be drowning in breach reports. Does this improve healthcare services? Or might it put a strain on the health care provider so that they would never admit to making an error?

To each of us, our personal health information is important. As a healthcare industry, we need to ensure that we recognize this and acknowledge that each privacy breach is important to the person the information is about. We need to make sure that we minimize the risk of the information being used inappropriately or maliciously. We need to acknowledge to ourselves and to our patients and clients that we are human and that sometimes we do make mistakes and we will strive to do better.

A ‘small' breach of one person one time might have a big impact. A ‘big' breach of a lost laptop might have a big impact. Each breach is important and needs to be recognized, contained (so it doesn't get any bigger) and corrected so it does not happen again. The person who's information has been breached needs to be made aware of the problem and the risk that might be experienced so that they can be prepare to limit the risks. The custodian needs to know how to manage the privacy breach and report it – internally and perhaps to other stakeholders – so that we can learn from the breach and minimize the danger that might be experienced because of the breach.

Recognize a privacy breach when it happens.

Learn what to do if you have a privacy breach.

breach, Health Information Act, OIPC, privacy, privacy breach, training

Privacy Breach – 3 Mistakes in Managing a Privacy Breach

Posted on January 25, 2014 by Meghan Davenport in Blog

Webinar Event

Time: Tuesday, February 11th at 12:00 pm – 1:00 pm Mountain Standard Time

Listening Method: Web Simulcast

Dealing with a privacy breach in your clinic can be stressful and confusing. What should you do? Who should you contact? In this webinar, learn the 3 common mistakes made when managing a privacy breach. Learn from someone else's mistakes!

Webcast Seminars: $25.00 + $1.25GST = $26.25

breach, privacy, privacy breach

Stolen Laptop Results in Privacy Breach

Posted on January 25, 2014 by Meghan Davenport in Blog

A laptop with the unencrypted personal health information of 620, 000 Albertans was stolen in September of 2013.

The laptop, belonging to an information technology consultant for Medicentres, was stolen on September 26th, and contained the names, dates of birth, provincial health card numbers, billing codes and diagnostic codes of individuals seen at Medicentres between May 2, 2011 and September 10, 2013.

The process of notifying the public was delayed because Medicentres was trying to figure out how to best do it, chief medical officer Dr. Arif Bhimji said.

“…[T]his was the first time ever having to deal with this sort of situation and it took a lot longer than we would have liked it to take.”

Questions are now being asked as to why the consultant had access to so much information, and why the laptop's data was not encrypted.

Privacy Commissioner Jill Clayton is launching an investigation into the event, and the probe will also be taking a wider look of how privacy breaches are reported in Alberta.

For more information about this privacy breach, visit CBC.ca.

Are you concerned about what your organization would do in the event of a privacy breach? Would you know how to handle it? Visit our Training Calendar for more information about an upcoming webinar!

Alberta, breach, encryption, health information, privacy, privacy breach

Pharmacist Used Health Information for Personal Reasons

Posted on January 4, 2014 by Meghan Davenport in Blog

A Calgary pharmacist has been cited for using the health information of a patient in an attempt to establish a personal relationship with her.

The woman complained to the Information and Privacy Commissioner, alleging that the relief pharmacist employed at a pharmacy in Calgary, had contacted her twice by phone and attempted to “friend” her on Facebook.

The Health Information Act (HIA) prohibits employees from using health information for purposes not required to do their job. The investigation by the Privacy Commissioner found that the pharmacist misused health information, and that the pharmacy manager had failed to provide privacy and security training to the pharmacist.

The pharmacy had access to privacy policies and training but the pharmacist in question was not made aware of these policies by the pharmacist manager. The investigation concluded by reinforcing the need for following through on administrative and technical safeguards and training for all staff.

Do you provide privacy training for all of your staff – including professional healthcare service providers? How do you document that each staff has received the training? How often do you re-fresh or update the training? A privacy management program is an important part of your responsibility as a healthcare provider, practice management and business owner. See our training programs for additional resources you can use right away.

For more information, check out the full OIPC Investigation Report H2013-IR-02

You can also read the Calgary Herald article (Dec 17, 2013) here

Alberta, breach, complaint, Health Information Act, HIA, OIPC, privacy, privacy breach

What Not To Do – keep your backup device plugged in

Posted on January 25, 2013 by Jean Eaton in Blog

An Australian medical center is facing the possibility that its patients’ electronic medical records may be locked away forever after hackers broke into its computer system in December and encrypted the files. The hackers captured a medical centre's data and demanded A$4000 to decrypt the information.

While this incident is rare it is a good lesson to ensure that you take control of your data. Ensure that it is secure. Ensure that your data is securely backed up and is segregated from your computer servers. Your must be proactive and monitor your computer network. This may be an appropriate task to outsource to a reputable vendor. Are your plans comprehensive? Is it time for you to schedule your Privacy Practice Review?

See the Technology for Doctors Online story from January 17, 2013, for more information.

backup, best practices, breach, computer network, encryption, external hard drive backup, privacy, privacy breach, privacy practice review, security, security external hard drive devices, segregated backup

Charges laid under the Health Information Act

Posted on October 31, 2012 by Jean Eaton in Blog

A self-reported breach by an individual to the Office of the Information and Privacy Commissioner resulted in an offence investigation being opened into suspicious access to health information. The completed investigation, after being referred to Crown prosecutors at Alberta Justice, led to thirty-one charges under the Health Information Act being laid for improperly accessing other individuals’ health information. Another charge was laid for inappropriate use of health information, another for inappropriate disclosure of health information, and one more charge for knowingly falsifying a record. In addition to these thirty-four charges under the Health Information Act, six charges were also laid under the Criminal Code.

The Calgary Herald reports that Brian Hamilton, OIPC Director for the Health Information Act, would only confirm the accused is not a doctor or other medical professional. The matter will be heard in Airdrie Provincial Court on Thursday, October 18, 2012.

The Edmonton Journal also reported that, in addition to the charges under the Health Information Act, the accused may face up to six Criminal Code charges.

Each organization has a responsibility to ensure that their employees (affiliates) receive education and training in their roles and responsibilities under the HIA. Information Managers can help you by providing training on-site and now by webinar. Click here for more information.

For more information, see:
the OIPC Website (http://www.oipc.ab.ca/Content_Files/Files/News/NR_Oct_2012.pdf)

http://www.calgaryherald.com/health/Charges+laid+improper+access+health+files/7400003/story.html

http://www.edmontonjournal.com/health/Alberta+Justice+lays+charges+improperly+accessing+health+information/7399425/story.html

access, Alberta, complaint, disclosure log, Health Information Act, HIA, improperly accessing health information, OIPC, privacy, privacy breach, training

1 2 3