Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

Build a Strong Privacy Management Program for Your Clinic with These 5 Critical Modules

Posted on February 23, 2023 by Izza Nuguit in Blog

Build a Strong Privacy Management Program for Your Clinic With These 5 Critical Modules

Many privacy officers in small healthcare practices have other roles—as a clinic manager, healthcare provider, computer network technician, or business owner. It is little wonder that new privacy officers can feel overwhelmed when trying to balance these responsibilities every day.

But that's not the end of the problem. It actually gets worse!

You could continue to –

😮 Panic when a patient asks for their information for access or correction.

😔 Scramble when new employees and healthcare providers join your clinic . . .and suddenly realize that you never got around to providing privacy and cybersecurity awareness training.

😯 Hope that your practice will not be tapped on the shoulder for a practice review by your college or the OIPC.

🤐 Ignore privacy breach and hope no one else notices.

😒 Avoid difficult decisions with your owners / staff who insist on doing things their way – even when it is not privacy compliant.

😞 Never get ‘review privacy impact assessment’ and ‘review privacy policies and procedures’ off of your to-do list.

😥 Avoid discussing privacy and security with your EMR and computer networks managed service providers because you are unsure of what questions to ask and what types of answers you should receive.

If you don’t have a written privacy management program and action plan, you are missing the systems to monitor routine tasks that will protect privacy and alert you to potential problems before they become privacy and security incidents.

Carrying out the duties of a Privacy Officer correctly is vital to ensure your organization is safe from the consequences of a big privacy breach.

But did you know that those organizations who have a privacy officer and a privacy management program are:

  • Less likely to have a privacy or security incident
  • Increased staff satisfaction
  • Increased patient satisfaction and outcomes

We Know That Privacy Is Good For Business

​We know that having policies, procedures, and systems in place will improve your privacy compliance in your organization and help you make good business decision.

When we have consistent practices in place, it improves communication and prevents a multitude of problems.

I’d like to share with you what I believe are the 5 critical modules of a privacy management program

The 5 Modules of a Strong Privacy Management Program for Your Clinic includes

  1. Know Your Obligations
  2. Train
  3. Privacy Breach Management
  4. Document
  5. Access and Disclosure

We expect organizations which collect, use, or disclose health information to have key components of a privacy accountability program. These include:

Every healthcare and private organization that is subject to privacy laws must comply with them. A comprehensive privacy management program provides an effective way for organizations to create a culture of privacy in their practice, practice accountability for the collection, use, disclosure, and access of personal information, and show compliance with regulations.

Module 1—Know your Obligations

​Key accountability for your privacy management program starts with your healthcare provider(s). These are also known as “custodians”. They are ultimately responsible for the privacy, confidentiality and security of personal health information (PHI).

The key healthcare provider—physician, dentist, chiropractor, nurse—can assign or delegate a key person who is accountable to the custodian to implement and monitor a privacy management program. This is often known as a privacy officer. In many smaller healthcare practices, the clinic manager or practice manager is also the privacy officer.

The business owner (who might also be the healthcare provider) also has obligations to follow the privacy laws as it relates to the privacy of personal information of employee, customers, and general business information.

The healthcare provider, business owner, and privacy officer form a ‘trifecta’ of authority and responsibility in your practice to ensure that you comply with privacy legislation, professional standards of practice, and contractual commitments.

Knowing your obligations includes clear authority and accountability in your practice, identifying what identifying information that you have in your practice, and understanding how privacy legislation guides your business. Your privacy officer and custodians may require training in these areas to better understand their obligations.

Module 2—Training

​Training is an important component of your privacy management program. The privacy officer in your organization ensures that privacy awareness, cybersecurity, and privacy breach management are provided in your healthcare practice.

There should be both a formal and an informal training plan. A pre-planned privacy awareness training must be available for everyone in your organization, including new and seasoned professionals. It is critical that you can provide and document that everyone in your organization completed consistent common training.

We can provide informal training throughout the year. For example, have a standing agenda item during your staff meeting to do something consistently for everyone in the organization throughout the year. Leverage activities like Data Privacy Day, Change Your Password Month, Cybersecurity Awareness Week to provide a variety of content.

A frequently missed trigger for additional training happens when an employee is promoted to a new position. This is a great opportunity for the privacy officer to meet with the employee and discuss their new role and how their responsibility, for example, of authorizing new users or supervising employees contributes to the confidentiality and security of PHI.

Remember to document who attended the training opportunities and keep copies of the training content to show your actions to protect privacy.

Listen to the podcast How To Keep Privacy Awareness Top Of Mind | Episode #093 for more tips and resources to help you plan training throughout the year.

Module 3 – Privacy Breach Management Plan

​Ensure that a written privacy breach management procedure is part of your overall privacy management program. The privacy officer will document your privacy breach management policies and procedures, sanctions policies and procedures, and train all employees to identify a privacy breach and report it to their supervisor. The privacy officer will manage a (suspected) privacy breach and ensure notification to their custodians, individuals affected by the breach, and others as needed.

The privacy officer will manage mandatory privacy breach notification requirements under the health privacy legislation like the Alberta Health Information Act (HIA), Ontario Personal Health and Information Protection Act (PHIPA) and the Personal Information Protection of Electronic Documents Act (PIPEDA) and other province’s legislation.

See Understanding a Privacy Breach for more tips.

Module 4—Document

​I think most people in healthcare are familiar with the adage, “If it is not documented, it didn’t happen.” This applies to your privacy management program, too. Your program should include written:

  • Health Information Privacy and Security Policies, Procedures
  • Risk Assessment – Safeguards
  • Practical Privacy Review
  • Privacy Impact Assessment
  • Information Management Agreement
  • Information Sharing Agreement
  • Successor Custodian
  • Training plan

These actions will help you protect the PHI of your patients and your business. They help to demonstrate your compliance with your privacy and security obligations. Review and update these key documents annually.

See Privacy Impact Assessment for more tips.

Module 5 – Access and Disclosure

​When you collect PHI from patients and PI from employees and customers, you must ensure that they can access, correct, and authorize disclosure of their information.

Release of information (ROI) policies and procedures is a critical module of your privacy management program. Your privacy officer is tasked with ensuring that your ROI plan is written, understood, includes specific training to your employees, and follows legislated standards and professional college standards of practice. When you meet your ROI obligations, you avoid complaints and breaches, work efficiently, and improve the trust of your patients.

Struggling to Learn Your Role As A Privacy Officer On Your Own?

If you are a privacy officer in a healthcare practice who needs practical privacy management strategies to protect your patients and your healthcare business but aren’t sure how to get started, register for the Practical Privacy Officer Strategies training here.

The training starts on February 28, 2023.

Not sure if this is for you?

Send me an email and ask me! I'm happy to mentor you and help you assess your practice management and privacy compliance priorities.

Listen to the replay of my recent LinkedIn Live Event here.

Clinic Privacy, Data Privacy, Healthcare Privacy, privacy compliance, privacy management

Use These Reports To Improve Privacy Compliance

Posted on December 29, 2021 by Jean Eaton in Blog

Use These Reports To Improve Your Privacy Compliance

Investigation reports of privacy breach incidents helps to inform and update policies, procedures, and risk assessments can be used by privacy officers, clinic managers, and healthcare custodians to improve privacy compliance in their healthcare practice.

Recent publications by the Alberta Office of the Information and Privacy Commissioner (OIPC) and the College of Physicians and Surgeons of Alberta (CPSA) are great resources.

We can use these real-world examples to improve our current practices to protect the privacy, confidentiality, and security of personal health information and to protect personal health information from unauthorized access, use, disclosure, and loss.

Alberta OIPC Annual Report

In the Alberta OIPC Annual Report 2020-21, Jill Clayton, the Privacy Commissioner, noted that ‘this past year was a year like no other for access to information and protection of privacy in Alberta as the COVID-19 pandemic raised new challenges for regulated stakeholders and my office.’

Work from home mandates impacted how organizations responded to access to information requests and the security of personal information as employees shifted to remote work. The OIPC received over 150 privacy impact assessments (PIA) and notifications about the implementation of new virtual care (or telemedicine) projects.

Overall, the OIPC reports that there was a 31% increase in the number of PIAs that they had received over the previous years. The healthcare sector may not have applied the usual rigour to assess new virtual care solutions as has been previously applied to, for example, EMR implementation. The urgency of the pandemic may have triggered this weakness, but it's something that now we should be able to do better.

There were 930 breaches reported by health information custodians to the OIPC in 2020-21, representing a slight decrease from 2019-20 (938). There were four convictions under the Health Information Act (HIA) for unauthorized access to health information in 2020-21.

Download the Annual Report from the OIPC here

CPSA Virtual Care Standards of Care

The Alberta College of Physicians and Surgeons (CPSA) released on December 20, 2021, its updated Virtual Care Standards of Practice. This was previously released as telemedicine standards.

Download the CPSA Virtual Care Standards of Care here.

I want to highlight a few things that have changed and a few things that we should know about already. The standard provides clarity about physicians who can provide virtual care services for Albertans. A physician who has been licensed to practice and provide care in Alberta, with some exceptions. Other healthcare providers outside of Alberta should not be providing virtual care to residents of Alberta.

The standards also provide guidance on the procedures that a regulated member providing virtual care must follow, including Standard #8:

  • provide the patient with their name, location and licensure status during the initial virtual care encounter;
  • take reasonable steps to confirm the identity and location of the patient during each virtual care encounter;
  • confirm the patient’s physical setting is appropriate given the context of the encounter and ensure consent to proceed, in accordance with the Informed Consent standard of practice;
  • offer the patient the opportunity for in-person care; and
  • ensure there is a plan in place to manage adverse events or emergencies and make patients aware of appropriate steps to take in these instances.

The standards also remind physicians that prior to implementing new virtual care technologies or practices, that you must prepare a PIA. This applies even if you are ‘just’ using telephone to provide virtual care.

PIA Remote Working and Virtual Care Templates

Last year, Information Managers created a virtual care privacy impact assessment package which includes template policies, procedures, implementation tips, and privacy training. This follows the requirements from the standards from the CPSA and the HIA.

The PIA Remote Working and Virtual Care Templates provide you virtual care procedures, workflow, tips, and Privacy Impact Assessment templates that you can quickly and easily download and customize for your healthcare practice. The training provided will help you to assess privacy and security options to assist you to select the best technology solution for your needs. Then, use the Privacy Impact Assessment templates to document your decisions and submit to the OIPC.

 

Yes! I Want Virtual Care Templates

privacy compliance

Privacy Compliance and Technology in Healthcare

Posted on March 7, 2021 by Meghan in Blog

Privacy Compliance and Technology in Healthcare

Event by Rafiki Technologies with Information Managers

 

A Privacy Impact Assessment (PIA) is a practical business tool in your healthcare practice.

A PIA is an important tool that you can use to help you with project management.

It will help you anticipate risks to the project before it starts and avoid serious problems, wasted time and money.

The PIA process requires you to have written policies and procedures so that you can implement the project effectively and train your staff consistently.

Sometimes a PIA is a requirement of legislation. But it is always a best practice whenever you implement a project that includes personal health information.

Join Rafiki Technologies’ Naheed Shivji and Information Managers’ Jean L. Eaton for a guide to successfully keep your patients’ information safe, follow cyber security best practices, and comply with the requirements of the Health Information Act (HIA).

This on-line workshop will provide you with practical tips to plan your Privacy Impact Assessment (PIA) amendment as well as a strategic cybersecurity checklist.

Who Should Attend?

  • Medical, dental, chiropractic, optometric, pharmacy practices in Alberta.
  • Clinic manager, privacy officer or administrative lead responsible for updating your Privacy Impact Assessment.
  • Healthcare provider

Join Naheed Shivji and Jean L. Eaton for a guide to your PIA completion and technology requirements

Thursday, March 18th, 2021

6:00 PM – 7:00 PM MT

Free Registration

 

Click the button below to register for the workshop!

Register for the Complimentary Workshop HERE!
speakers lady man

Meet Naheed Shivji, Founder & President of Rafiki Technologies Inc.

Naheed has more than 20 years of experience in IT with expertise in the dental industry. He is a passionate entrepreneur helping companies understand and embrace technology and is always searching for business best-practices while giving back to the community.

Naheed works hands-on with his clients to develop winning IT strategies and smooth implementations. He is constantly learning and adapting to industry trends to maintain Rafiki Technologies’ position as a leading managed IT services company in Canada.

Meet Jean L. Eaton, BA Admin (Healthcare), CHIM, CC

Your Practical Privacy Coach and Practice Management Mentor with Information Managers Ltd.

Jean has helped hundreds of physicians, chiropractors, pharmacists, and other healthcare providers complete their Privacy Impact Assessment. She has visited hundreds of practices across Canada.

Jean helps independent healthcare practices with practice administration, privacy awareness, privacy breach management, and legislated regulation compliance in Canada.

Jean's career started as a receptionist and transcriptionist in a busy family medical walk-in practice. She moved into health records and health information management and hospital administration in hospitals, regional health authorities, cancer agencies across Canada and Alberta Health.

Now, Jean specializes her consulting practice to independent healthcare practices who want to start, grow, or improve their practice administration so that healthcare providers can focus on providing quality healthcare services. Jean provides training to businesses including healthcare on practical privacy and security best practices and privacy breach management.

If you are starting your new practice and need your first Privacy Impact Assessment, see our available consultation options here.

You May Also Be Interested In:

 

“What is a Privacy Impact Assessment?”

Read the article and watch the short video now to take a look at what is a PIA, what will a PIA do for you, when you need a PIA, and what is the PIA process.

You can also listen to the Practice Management Nuggets podcast episode here.  

 

“How Long Does it Take to do a New Privacy Impact Assessment?”

Ideally, you should start the Privacy Impact Assessment process 3- 6 months prior to your go-live date. Find out more by reading the article.

cybersecurity, dentist, healthcare, privacy, privacy compliance, privacy consultant, Privacy Impact Assessment, security, technology

Why You Need To Get The Right Agreements With Your Vendors

Posted on February 4, 2020 by Jean Eaton in Blog

Donna Grindle knows having a business arrangement agreement between a healthcare provider and their business associate is very important in defining clearly the responsibilities of both parties.  

But, many healthcare providers, business owners, and vendors don’t get this right!

Donna shares her observations on the HIPAA violations trends from the United States so that healthcare providers and vendors in Canada can prevent similar experiences and avoid massive fines and penalties.

Donna Grindle is my guest expert on Practice Management Nuggets For Your Healthcare Practice.

Donna Grindle's #1 Tip to healthcare providers and vendors

Don’t assume. Ask questions! Click to Tweet

My Favorite Takeaways From The Podcast

  • Healthcare privacy and security regulations are more similar than different.
  • Educate as many people as possible about the importance of privacy and cybersecurity.
  • Don't assume that you don't have to ask questions.
  • Privacy is a civil right.
  • Under HIPAA, any business that provides a service to covered entities (healthcare providers) that requires them to have access to protected health information is then considered a business associate (BA).
  • BA's are separately and equally liable to protect patient information.
  • You must have a written agreement between your vendors and your healthcare providers that describes how you will protect patient health information. If you disclose personal information without a written agreement, you are breaking the law.
  • BAA / IMA must include liability clause.
  • Tips: Healthcare Provider Selecting A Vendor
  • Tips: Vendor Selecting A Healthcare Client
  • Cybersecurity insurance

Featured Guest: Donna Grindle

Image ladyFounder & CEO Kardon and
Co-Host Help Me With HIPAA Podcast

Donna brings over 30 years experience in healthcare IT which is the solid foundation of Kardon’s HIPAA privacy and security consulting. Donna stays busy with speaking engagements, the weekly Help Me With HIPAA podcast, and managing a business with a growing client list. Donna’s sense of humor and southern charm spills out into everything she does.

Be sure to tune in to my interview with Donna Grindle,

What Healthcare Practices Should Know About Vendor Vetting And Accountability | Episode #085

Listen To The Podcast Here
#PracticeManagementNugget, BAA, business associate agreement, Donna Grindle, healthcare, HIA, HIPAA, IMA, information manager agreement, podcast, privacy compliance, vendor vetting

Privacy Practice Review

Posted on November 1, 2013 by Jean Eaton in Clinic Manager / Privacy Officer, Established Practice, Services, Vendor

Demonstrate and ensure compliance to your privacy goals. A Privacy Review is an educational and consultative program that serves as a vehicle to identify best practices as well as opportunities for improvement.

Your medical office wants to promote a culture of respect for privacy and information security throughout the organization when providing patient care and accessing and disclosing protected health information.

To demonstrate and ensure continuing compliance to your privacy goals, a Privacy Review, is an educational and consultative program that serves as a vehicle to identify best practices as well as opportunities for improvement.

The Privacy Review is designed to be transparent in order to maximize the opportunity to impart knowledge and effect change.

Each review presents an opportunity to give members of your staff the information and tools that they need to protect patient privacy.

healthcare, Netcare, privacy compliance, reasonable safeguards, security compliance

What is the elephant in the room?

The Elephant in the Room Find out here...

 

Privacy Policy

 

“This was my first ever time I had to work on a PIA and I was a little nervous about doing it efficiently - but you really made it as simple and straight forward as possible. Thank you for being available for my questions when I had them. I would easily recommend Privacy Impact Assessments to Protect Your Practice course for anyone to do their own PIA's! Thank you so much!”

- Karen Sarabura, Clinic Manager and Privacy Officer, CGA Medical Imaging, Alberta

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2023 Information Managers Ltd.

Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}