Informationmanagers.ca Logo
Build a Strong Privacy Management Program for Your Clinic With These 5 Critical Modules

Build a Strong Privacy Management Program for Your Clinic With These 5 Critical Modules

Struggling to Learn Your Role As A Privacy Officer?

In many small healthcare practices, the privacy officer is also the clinic manager, healthcare provider, IT technician, or business owner. It’s no surprise that new privacy officers feel overwhelmed trying to balance competing responsibilities.

Without a clear plan, you may find that you

  • Panic when a patient asks for their information for access or correction.
  • Scramble when new employees and healthcare providers join your clinic . . .and suddenly realize that you never got around to providing privacy and cybersecurity awareness training.
  • Hope that your practice will not be tapped on the shoulder for a practice review by your college or the OIPC.
  • Ignore privacy breach and hope no one else notices.
  • Avoid difficult decisions with your owners / staff who insist on doing things their way – even when it is not privacy compliant.
  • Never get ‘review privacy impact assessment’ and ‘review privacy policies and procedures’ off of your to-do list.
  • Avoid discussing privacy and security with your EMR and computer networks managed service providers because you are unsure of what questions to ask and what types of answers you should receive.

If you don’t have a written privacy management program and action plan, you are missing the systems that prevent small issues from becoming privacy and security incidents.

The good news? Organizations with an active privacy officer and privacy management program are less likely to experience breaches and report better staff engagement and patient trust.

Privacy Is Good For Business

Strong privacy practices aren’t just about legal compliance. Policies, procedures, and systems improve communication, reduce risk, and support better decision-making.

A practical privacy management program creates accountability for the collection, use, and disclosure of health information, while demonstrating compliance to regulators and professional colleges.

Based on my experience, the five critical modules of a privacy management program are:

  1. Know Your Obligations
  2. Train
  3. Privacy Breach Management
  4. Document your Privacy Management Program
  5. Access and Disclosure

Module 1—Know your Obligations

Accountability starts with your healthcare provider(s)—also known as “custodians.” They are legally responsible for the privacy, confidentiality, and security of personal health information (PHI).

Custodians can delegate day-to-day tasks to a privacy officer, often the clinic or practice manager in smaller settings. Business owners also have obligations for employee and customer information. Together, the healthcare provider, business owner, and privacy officer form a trifecta of authority responsible for privacy compliance.

Knowing your obligations means:

  • Establishing clear roles and accountability
  • Identifying all types of personal and health information in your practice
  • Understanding how privacy legislation applies to your operations

Training for custodians and privacy officers is often required to build confidence and competence in these responsibilities.

Module 2 – Training

Privacy training is essential and must be consistent across your organization. Every staff member—new and experienced—should complete privacy awareness and cybersecurity training, and you should document attendance.

Effective training includes both formal and informal opportunities:

  • Formal: orientation programs, annual refreshers, and documented privacy awareness training
  • Informal: short reminders in staff meetings, activities tied to events like Data Privacy Day or Cybersecurity Awareness Month

Don’t overlook staff moving into new roles—promotions are an ideal time for targeted training about new responsibilities, such as authorizing users or supervising others.

Module 3 – Privacy Breach Management Plan

Every practice needs a written privacy breach management procedure. The privacy officer should ensure staff know how to recognize and report a breach, and custodians must be notified promptly.

Your plan should cover:

  • How to contain and investigate suspected breaches
  • Sanctions for non-compliance
  • Notification to patients and regulators when required

The privacy officer will manage mandatory privacy breach notification requirements under the health privacy legislation like the Alberta Health Information Act (HIA), Ontario Personal Health and Information Protection Act (PHIPA) and the Personal Information Protection of Electronic Documents Act (PIPEDA) and other province’s legislation.

Module 4 – Document: The Backbone of Privacy Compliance

Privacy training is essential and must be consistent across your organization. Every staff member—new and experienced—should complete privacy awareness and cybersecurity training, and you should document attendance.

Effective training includes both formal and informal opportunities:

  • Formal: orientation programs, annual refreshers, and documented privacy awareness training
  • Informal: short reminders in staff meetings, activities tied to events like Data Privacy Day or Cybersecurity Awareness Month

Don’t overlook staff moving into new roles—promotions are an ideal time for targeted training about new responsibilities, such as authorizing users or supervising others.

Module 5 – Access and Disclosure: Ensuring Patient Rights

Patients and employees have the right to access and correct their information. Release of information (ROI) policies and procedures are essential.

Your ROI plan should:

  • Define clear steps for handling requests
  • Train staff on how to respond appropriately
  • Align with legislation and college standards of practice

Doing this well helps you avoid complaints and breaches, improves efficiency, and strengthens patient trust.

Bringing It All Together

Being a privacy officer doesn’t have to feel overwhelming. With a structured privacy management program built on these five modules, you’ll have the systems to protect patients, support your staff, and strengthen your business.

If you’re a privacy officer in a healthcare practice and want practical strategies you can apply right away, join the upcoming Practical Privacy Officer Strategies training.

Training starts October 9, 2025

Register here https://informationmanagers.ca/ppo

Not sure if this is for you?

Send me an email and ask me! I’m happy to mentor you and help you assess your practice management and privacy compliance priorities.

Leaving a Group Practice? Know Your Responsibilities for Patient Records

Leaving a Group Practice? Know Your Responsibilities for Patient Records

 

Leaving a Group Practice? Know Your Responsibilities for Patient Records

You’ve been part of a group practice for some time.

Now, you’re preparing to open your own clinic, relocate to another area, or step away from practice altogether. Whatever your next move, it’s important to understand your responsibilities when it comes to patient health records.

Here’s what you need to know to leave well—and stay compliant.

Understanding Your Rights and Responsibilities

When you leave a group practice, you still have important obligations tied to patient records. These include:

  • Record access, security, and retention – You’re responsible for the health records you’ve collected while in practice.
  • Right of continuing access – You have the right to access the records of patients you’ve cared for, even after leaving, to respond to inquiries for access, disclosure, complaints, or investigations.
  • Continuity of care – You’re responsible for ensuring appropriate access to patient records to support ongoing care.
  • Duty to inform – Patients should be made aware of your departure and how their records will be managed.
  • Respect existing agreements – This includes any contracts or group practice policies in place, such as Information Management Agreements (IMAs) or Information Sharing Agreements (ISAs).

Resources to Guide You

Before finalizing your departure, review the following documents and standards:

  • Your contract – especially termination clauses
  • Information Management Agreements (IMAs) – with both the group practice and EMR providers
  • Information Sharing Agreements (ISAs)
  • Privacy and security policies – especially those related to closing or relocating a practice
  • Professional college standards – around recordkeeping and patient notification
  • Provincial health privacy legislation – such as Alberta’s Health Information Act or Ontario’s PHIPA

These documents can help clarify who retains custody of the records, what access rights you have, and how to ensure continuity of care for your patients.

What Are Your Plans?

Your responsibilities will vary depending on your next step:
If You’re Relocating (and Patients May Follow)
You may want to request a copy of relevant patient records for continuity of care. To do this:

  • Review your IMA – Is there a cost to receive a copy of your patient records?
  • Talk to your EMR vendor – Is data export or transfer supported? What is the cost?
  • Ensure data quality assurance – Will the records be intact and complete?
  • Prepare a new Privacy Impact Assessment (PIA) for your new location, including data migration

If You’re Leaving Practice or Relocating Far Away
You may choose to leave records with the current group practice. In that case:

  • Make sure you have a written agreement outlining who is responsible for access, storage, and disclosures.
  • Update your IMA to authorize the group to manage patient inquiries on your behalf.
  • Keep in touch with group practice so that they can reach you in case you’re needed to support access to patient records or respond to complaints. You also want to know if the group practice changes significantly.
  • Don’t abandon your records. Even if you’re no longer practicing, you’re still responsible for their safekeeping

The group practice must also agree to manage your patient records on your behalf. Don’t make assumptions—get it in writing!

It Takes Time

It takes time

You didn’t start your practice overnight. It will take time to successfully plan and implement the transition of patient records when you leave the group practice.

Leaving a group practice is a significant professional step—and handling patient records properly is part of doing it right.

With the right planning, communication, and documentation, you can support your patients, protect yourself, and move forward with peace of mind.

Want Extra Support To Navigate Your Transition?

These resources include practical templates, checklists, and expert guidance to help you leave your current practice confidently and in compliance.

✅ Download the Practice Management Success Tips – Closing or Moving Your Healthcare Practice

✅ Get your copy of The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

Privacy Principles Applies After Death

Privacy Principles Applies After Death

 

Privacy Principles Applies After Death

Are your staff looking at medical records when they shouldn’t be?

Many people have the mistaken impression they can look at a patient’s medical records as long as they don’t tell anyone else.

It’s not okay.

We continue to see examples of snooping where both seasoned and new healthcare providers and support staff don’t realize that looking at patient’s health information—even with good intentions—is a serious privacy violation.

As privacy lawyer Kate Dewhirst puts it

  • Privacy = Don’t look
  • Confidentiality = Don’t tell

Despite years of experience, many healthcare professionals still need a refresher on the basics. Privacy awareness training remains essential.

In this article, I am sharing an example of the Ontario’s Information Privacy Commissioner (IPC). This case involves a privacy complaint submitted by the family of a deceased individual. It’s a good reminder that whether you’re running a brand-new clinic or managing an established practice, it’s critical to understand your legal responsibilities and have systems in place to protect patient information.

What Happened

In 2014, a physician accessed a deceased patient’s health records while acting in his role as a coroner. The patient was also a family member. Soon after, the family alleged that the physician continued to access the individual’s personal health information (PHI) contrary to Ontario’s Personal Health Information Protection Act (PHIPA).

The family submitted a complaint to the hospital. Initially, the hospital’s response did not satisfy the family. The family filed a complaint to the Information and Privacy Commissioner (IPC) of Ontario.

The IPC started a complaint investigation.

privacy principles after death privacy breach incident scenario diagram

Privacy Complaint Investigation

Under PHIPA, the hospital is a health information custodian and the physician is an agent of the hospital.

During the IPC investigation, the physician admitted he “accessed the health information in response to his concern about the individual’s well-being.”

“I know now that proceeding in this way was misguided and wrong.” He would never disclose the information to anyone; that would be a violation of patient privacy and a breach of doctor – patient confidentiality.

He acknowledged he misunderstood the difference between:

• Privacy: The general right of every individual (living or deceased) to limit access to their health information.
• Confidentiality: The duty to not share that information once accessed.
• Circle of care / Need to know: You must only access information required to provide care at that moment.

4 Step Response Plan

When you have a privacy breach, follow these four steps to manage the privacy breach incident.

Step 1 – Spot and Stop the Breach

The family’s complaint prompted the hospital to begin the first step to spot and stop the breach.

Step 2 – Evaluate the Risks

An initial risk assessment was conducted, and after the IPC got involved, the hospital re-opened the investigation. They completed a comprehensive review and used audit log reporting tools to trace access.

Step 3 – Notify

The hospital eventually informed the family of the privacy breach—but the notification wasn’t timely. A more thorough and timely response could have helped address the family’s concerns more effectively.

Step 4 – Prevent the Breach From Happening Again

Following the breach, the hospital implemented several improvements:

  • Introduced a new auditing program that enhances its ability to detect unauthorized access.
  • Updated its Privacy and Confidentiality Policy, which applies to all agents of the hospital.
  • Launched mandatory annual electronic privacy training program for all staff, volunteers and learners. Physicians must complete this training as part of the annual reappointment process.
  • Strengthened the privacy warning on its electronic system, which warns users that unauthorized use of personal health information may result in disciplinary action.

privacy principles after death sanctions

The hospital’s Medical Advisory Committee also recommended disciplinary actions:

  • A three-month suspension of the physician’s hospital privileges
  • Three years of enhanced monitoring of his access to patient records
  • A requirement to present at Grand Rounds on privacy topics upon his return

The IPC concluded that the disciplinary consequences for the physician were sufficient in the circumstances.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. Here’s how you can be proactive to prevent privacy breach pain.

  • Go beyond policies—model good practices
  • Use real-life examples in staff meetings
  • Incorporate gamification and ongoing discussions to engage your team

Privacy awareness is everyone’s responsibility. Make sure your staff know what’s expected, what’s at risk, and what to do if something goes wrong.

If you need to start or update your privacy awareness training program, check out the on-line education Privacy Awareness in Healthcare: Essentials.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget’ to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

References and Resources

Dewhirst, Kate. After Death: Who Can Access The Records Of A Patient After Death? May 7, 2019. https://katedewhirst.com/blog/2019/05/07/after-death-who-can-access-the-records-of-a-patient-after-death/

Ontario Information and Privacy Commissioner IPC Investigation Report PHIPA DECISION 74 HC15-4 Sault Area Hospital August 10, 2018.

5 New Year’s Resolutions for Privacy Officers and Clinic Managers

5 New Year’s Resolutions for Privacy Officers and Clinic Managers

Why Privacy Resolutions Matter for the New Year

The start of a new year is the perfect time for clinic managers and privacy officers to reflect, reset, and refocus their efforts on safeguarding patient information. Just as individuals set personal goals for growth, healthcare organizations benefit from creating resolutions to strengthen their privacy practices. With evolving regulations, new technologies, and the ever-present risk of breaches, a proactive approach ensures your clinic stays ahead of potential challenges. These five New Year’s Resolutions will help you prioritize compliance, reduce risks, and foster a culture of privacy and accountability in your practice.

1. Review Your Clinic Description and Privacy Impact Assessment (PIA)

Start by assessing your clinic’s current operations and comparing them to your original plans. Are they still aligned, or have new challenges or opportunities arisen? Consider the following:

  • Are there any new initiatives or technologies your clinic is planning to implement this year?
  • Are there upcoming changes in personnel, stakeholders, or organizational structure?
  • Have there been any recent or anticipated legislative updates that could impact your privacy practices?
  • Identify updates that need documentation and determine if you need to notify the Office of the Information and Privacy Commissioner (OIPC).

Regularly updating your PIA ensures your clinic stays compliant, prepared, and aligned with its goals.

If you haven’t completed a PIA, make it a top priority this year! A PIA ensures compliance and protects your patients and organization.

Tip: Check out the December 2024 Q&A With Jean for the ‘Annual Review Checklist’ template to help you right away!

 

2. Monitor Privacy Breaches and Annual Trends

Take a close look at the privacy breaches and near misses from the past year. What patterns or trends stand out? Are there recurring issues, such as faxes being sent to the wrong number or patient forms being given to the wrong person?

It’s time to evaluate your current approach. If reminders to “be more careful” haven’t reduced these incidents, it’s a sign that a new strategy is needed. Process changes, additional staff training, or implementing new tools might be necessary to achieve better results.

Action Step: If you don’t already have a privacy breach reporting tool to provide a clear summary of all breaches at a glance, make it a priority to implement one now. Use this tool to document trends, analyze recurring issues, and develop actionable solutions to discuss during staff meetings.

 

3. Privacy Awareness Training for Everyone!

Recent decisions, such as Ontario IPC’s PHIPA Decision 260, highlight the importance of mandatory Privacy Awareness Training (PAW) training for all staff, including physicians.

Ensure your organization not only mandates this training but also enforces compliance. Accountability starts at the top.

Case Study: In Decision 260, a hospital faced repercussions when a physician accessed 1,400 patient records without proper authorization due to lack of enforced PAW training. How do you ensure that every employee and healthcare provider receive PAW training at your practice?

4. Plan for Succession

Every business owner needs a plan to ensure that there is a plan to continue or close their business if there is a sudden inability of the owner to do their job.

Custodians must designate a successor to ensure patients maintain access to their records in case of sudden changes. Naming a successor custodian who will advocate for and ensure the proper access and retention of patient records is a requirement of professional standards of practice and good business sense.

Clinic managers should know who the designated custodian is and ensure there’s a written agreement in place.

Thought Experiment: Succession planning is critical for privacy officers and clinic managers, too! Who will take over your role if you win the lottery tomorrow? Develop a training plan for your protégé. Check out the upcoming Practical Privacy Officer Strategies training.

5. Review Your Technology Stack

Recent outages like Microsoft 365 or platform closures (e.g., Bench) highlight the importance of contingency planning.

A technology stack inventory includes a listing of your data holdings and software and hardware vendors that you use in your business.

Include the vendor contact details and backup plans for service disruptions.

Ensure that you have written agreements for each service and appropriate access, security, and retention for PHI.

Conduct a risk assessment of the technology that you implement in your business to evaluate the impact of downtime on your clinic. The higher the risk, the more important it is to have a business continuity plan.

Bonus: Email me for a free Technology Stack template to get started!

Schedule these activities into your calendar to prompt you to dedicate time to complete your resolutions. They are not difficult and will contribute to privacy compliance in your practice.

Need some help with your privacy compliance? Join our Practice Management Success Membership for templates, guides, and expert support to make 2025 your best year yet!

 
Jean Eaton Informationmanagers.ca

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you. Jean L. Eaton Your Practical Privacy Coach INFORMATION MANAGERS