How Will Mandatory Privacy Breach Reporting Affect You?

Posted on July 24, 2018 by Jean Eaton in Blog, PMN Upcoming

Mandatory Privacy Breach Reporting is Coming to Alberta!

Do you know how this will affect your healthcare practice?

. . then this free webinar is for you!

If you are a custodian–including physicians, optometrists, pharmacists, dentists, dental hygienists, chiropractors, nurse practitioners, podiatrists, midwives, optometrists, opticians, and more!–as defined by Alberta's Health Information Act, then . . then this free webinar is for you!

You need to know how mandatory privacy breach reporting will affect you!

In this Free Webinar, Jean L. Eaton, Your Practical Privacy Coach will explain

what is a privacy breach
why a privacy breach is a significant problem
why have mandatory privacy breach reporting
offence and penalty provisions of the HIA
privacy breach notification requirements
what you need to do before August 31, 2018

Join us for this Free webinar

Recorded LIVE Thursday July 26, 2018

Register NOW to get immediate access to the replay and valuable resources to help you prevent privacy breach pain!

. . . available for a limited time!

Register for the FREE Live Webinar Replay!

Check your email for the link to the webinar!

You will also benefit from receiving notices about upcoming events on Privacy Nuggets and similar announcements.

We don't sell or share your personal information. Ever.

Jean L Eaton, Your Practical Privacy Coach with Information Managers Ltd.

“When we know better, we can we do better.”

As an employer and health care provider, you are responsible to provide training to all of your employees about privacy awareness. Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information.

I am constructively obsessive about privacy and confidentiality in the healthcare sector–and I think you should be, too!

I help primary care practice managers and health care providers properly manage the risk of a privacy breach, stay out of jail, avoid fines AND keep an efficient practice!

Jean L. Eaton, Your Practical Privacy Coach Information Managers Ltd.

#PracticeManagementNuggets, amendment, health care, healthcare, mandatory privacy breach reporting, medical, privacy breach, privacy breach notification, Privacy Impact Assessment

A Privacy Impact Assessment is Easy – When You Start With a Good Plan!

Posted on July 5, 2018 by Jean Eaton in PMN Live

Do you need a PIA? or a PIA amendment?

If you are a healthcare provider or clinic manager and are not sure if you need a Privacy Impact Assessment . . . then this 30 minute free webinar is for you!

If you are a custodian–including physicians, optometrists, dentists, chiropractors, nurse practitioners, podiatrists, and more!–as defined by Alberta's Health Information Act, then you probably need a PIA.

Jean L. Eaton, Your Practical Privacy Coach will explain

what a PIA is,
why you need it, and
how to start planning to prepare a PIA.

Click the arrow >> below to play the video

“When we know better, we can we do better.”

As an employer and health care provider, you are responsible to provide training to all of your employees about privacy awareness. Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information.

I am constructively obsessive about privacy and confidentiality in the healthcare sector–and I think you should be, too! I designed this course to assist healthcare providers, clinic managers, practice managers, privacy officers and independent healthcare practice owners provide practical privacy awareness training that was easy to implement, consistent content, cost-effective and meaningful to your day-to-day business.

When each member of your independent healthcare practice completes this privacy awareness course, you will have clearer expectations and confidence that your team will maintain the privacy, confidentiality and security of your patient’s health information. Give your patients the gift of privacy. Improve your healthcare practice with privacy awareness education.

Jean L. Eaton, Your Practical Privacy Coach Information Managers Ltd.

#PracticeManagementNuggets, amendment, health care, healthcare, medical, Privacy Impact Assessment

A Privacy Impact Assessment is Easy – When You Start With a Good Plan!

Posted on July 5, 2018 by Jean Eaton in Blog, PMN Replay, Practice Management Nugget Interview

Do you need a PIA? or a PIA amendment?

If you are a healthcare provider or clinic manager and are not sure if you need a Privacy Impact Assessment . . . then this 30 minute free webinar is for you!

If you are a custodian–including physicians, optometrists, dentists, chiropractors, nurse practitioners, podiatrists, and more!–as defined by Alberta's Health Information Act, then you probably need a PIA.

Jean L. Eaton, Your Practical Privacy Coach will explain

what a PIA is,
why you need it, and
how to start planning to prepare a PIA.

Join us for this 30-minute interactive webinar

LIVE Thursday July 5, 2018

12 Noon MDT

The replay is ready! Register for the FREE 30 minute Webinar recorded live!

Check your email for the link to the webinar!

You will also benefit from receiving notices about upcoming events on Practice Management Nuggets Webinars for Your Healthcare Practice and similar announcements.

We don't sell or share your personal information. Ever.

“When we know better, we can we do better.”

As an employer and health care provider, you are responsible to provide training to all of your employees about privacy awareness. Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information.

I am constructively obsessive about privacy and confidentiality in the healthcare sector–and I think you should be, too! I designed this course to assist healthcare providers, clinic managers, practice managers, privacy officers and independent healthcare practice owners provide practical privacy awareness training that was easy to implement, consistent content, cost-effective and meaningful to your day-to-day business.

When each member of your independent healthcare practice completes this privacy awareness course, you will have clearer expectations and confidence that your team will maintain the privacy, confidentiality and security of your patient’s health information. Give your patients the gift of privacy. Improve your healthcare practice with privacy awareness education.

Jean L. Eaton, Your Practical Privacy Coach Information Managers Ltd.

#PracticeManagementNuggets, amendment, health care, healthcare, medical, Privacy Impact Assessment

How Long Does It Take to Do a PIA?

Posted on June 2, 2018 by Jean Eaton in Blog

Have you ever said… “If only I had someone to ask!”

Each month, we discuss your questions about practice management, human resources issues, clinic management best practices, procedures, resources, practical privacy tips, and more in Practice Management Success membership.

In this Q&A, we're talking about:

How long does it take to do a PIA?

Click the >> arrow above to play the video.

I’m opening my practice next month.

I just learned that I need to complete a Privacy Impact Assessment.

What do I do now?

Unfortunately, I hear this question far too often!

Here’s What You Need to Know About the Timelines Required to Complete a Privacy Impact Assessment

how long to do a PIA

In the perfect world, you will start your PIA process about 6 months before you plan to open your practice.

You will start with developing the privacy and security policies and procedures.

Next, you will discuss with the EMR vendors, computer IT support vendors, and other stakeholders about your operational needs and ensure that the vendors can meet PIA requirements.

At this point, about 4 months before Go Live, you will start writing your Privacy Impact Assessment documents.

You will review and accept the Privacy Impact Assessment internally to your organization and ensure that each of the custodians have reviewed, understood, and accepted the Privacy Impact Assessment.

Then, you will submit the Privacy Impact Assessment to the Office of the Information and Privacy Commissioner (OIPC) about 3 months before your go-live date.

Start With Privacy and Security Policies and Procedures

If you are planning to open your healthcare practice soon or planning to implement a new project in your existing clinic, your first step is to review (or create) your privacy and security policies and procedures.

Guidance for Electronic Health Record Systems

To help you with your discussion of PIA requirements with your vendors, the OIPC has produced a document, “Guidance for Electronic Health Record Systems“.

This guide was developed to assess the safeguards in electronic health record (EHR) systems. Custodians and their EHR service providers may use this document to support a Privacy Impact Assessment on an EHR system, or to examine whether changes to a system comply with Health Information Act requirements. Published in June 2016.

This is intended to assist you to have a discussion with your vendors. The guidelines are not part of the PIA submission. The Guideline will help you to ask good questions with your vendors so that you can get good answers. You will include the answers to the questions in your PIA submission.

If you are currently looking for a vendor for your EMR, practice management system, computer network system or, perhaps, your billing system, these are the questions that you need to discuss with your vendor. Their answers will help to inform you and assist you in selecting good vendors for your practice.

If You Are a Vendor That Supports Healthcare Practices

If you are a vendor that supports healthcare practices, I encourage you to download the document, Guidance for Electronic Health Record Systems, and complete it from the perspective of your product or service even if your product isn't an EHR. Then, you can share the completed document with your prospective clients and custodians as a demonstration of your privacy and security practices and support your clients with their PIA submission.

Don't Wait!

If you haven’t done your PIA yet, you definitely need to get this completed. You need to have your policies and procedures completed and your PIA submitted to the OIPC for their review and acceptance before you open your new practice.

Want more content like this?

For more information about Privacy Impact Assessments, see

Click Here to Get More About PIA's

health care, healthcare, medical, plan a PIA, Privacy Impact Assessment, timeline

Does a Dentist Need a PIA?

Posted on May 22, 2018 by Jean Eaton in Blog

Have you ever said…

“If only I had someone to ask!”

Each month, we discuss your questions about practice management, human resources issues, clinic management best practices, procedures, resources, practical privacy tips, and more in Practice Management Success membership.

In this Q&A, we're talking about: Does a Dentist Need a PIA?

If you are a member of Practice Management Success, login and join me now on the webinar. The replay will be available in your membership area.

I’ve had a dental practice for 10 years. Do I need a PIA?

In Alberta, the Health Information Act (HIA) was proclaimed in 2001.

Dentists and dental hygienists were named as a designated health professional under the HIA in March 2011.

A custodian as defined by the HIA is defined

1) as a member of a Regulated Health Profession

2) the Health Profession is named in the HIA as a custodian

3) the individual is acting as a custodian

There is a ‘grandfathering’ period when custodians who were already in practice at the time are not required to submit a privacy impact assessment (PIA). The dental practice, of course, must meet all of their dental college requirements including appropriate privacy and security policies, procedures, and reasonable safeguards to protect the privacy, confidentiality, and security of personal health information.

If (when) you have had any changes to your practice, you need to complete a PIA. For example, since 2011, have you had any changes to:

administrative practice, for example, changes to billing practices, third party contractors, moving to a new location, etc.
information system, for example, computer network changes, remote backup, or practice management or EMR software
practices relating to the collection, use, disclosure of personal (health) information
new or changes to your current information flow (for example new projects, stakeholders, Netcare)
legislation (i.e. research)
any new risks to the privacy of health information
custodians, for example custodians (including dentists and dental hygienists) leaving or joining your practice

The PIA is a process that assists custodians to review the impact that an implementation of a new administrative practice, information system, or change to existing practices or systems relating to the collection, use and disclosure of individually identifying health information, may have on individual privacy.

A PIA describes the information flows in the project, identifies the legal authorities that allow for the flow of information, assesses potential impacts on and risks to privacy and identifies mitigation strategies to minimize the risks.

The process is designed to ensure that the custodian evaluates the new practice or proposed change to ensure technical compliance with the HIA as well as assessing the broader privacy implications for individuals.

Often, the Privacy Officer of the dental practice completes the Privacy Impact Assessment. However, the custodian or CEO is responsible for the Privacy Impact Assessment.

Privacy principles and legal authority determine compliance obligations.

If you don't have a PIA already for your dental practice, and you were in practice prior to 2011, you probably will need a PIA soon. If you opened your practice after 2011, or are just planning your practice now, you need a PIA.

For more information about PIA's, pop over to our resource page here:

Tell me more about PIA's

Want more content like this?

Get Your Practice Management Success membership

dental, dental hygienist, dentist, healthcare, PIA, Privacy Impact Assessment

What is an Information Manager Agreement (IMA)?

Posted on October 25, 2017 by Jean Eaton in Blog

Having a clear agreement of how patient records will be maintained to ensure privacy, security, and confidentiality in a paper based patient record or in a shared EMR database is the objective of an Information Manager Agreement. This may also be called a Data Sharing Agreement, Information Sharing Agreement, or Business Associate Agreement.

Prenuptial Agreement

In a group healthcare practice, have a clear understanding in writing that sets out how patient records will be collected, used, and disclosed during the group practice is critical to the security of the patient information, health service provider information, and good will between members of the group practice. Think of this as the ‘prenuptial' agreement in your business relationship.

Who is an Information Manager?

In Alberta, the Health Information Act (HIA) defines an information manager. Generally, it is a special kind of an affiliate, usually a business or a vendor, who provides a service that does some specific task (authorized by the custodian) with health information. This could be a billing agent, accredited billing submitter, outsourced transcriptionist, EMR vendor or other service provider.

If you are using an EMR vendor, the named individuals on the IMA are the only persons that the software vendor can receive instructions on how to manage the records in the database. Often, this is the physician lead and business owner.

Sometimes, the custodian is also the information manager. For example, a physician (custodian) and business owner may assume the responsibility of ensuring the security of all the patient records authored by other custodians in the group practice. The physician / custodian / business owner / information manager must follow all the rules of the IMA and HIA.

Not every healthcare practice has an information manager. Some group practices have many information mangers providing different services. There are many details and options to consider. The discussion–and then putting it in writing–is the key to positive business relationship and secure records management.

Avoid surprises – and nasty exits

Some tips to prevent surprises:

Take a pro-active privacy role and inform patients how their information will be protected during the routine practice operations and when healthcare providers are added to – or leave – the practice.
Decide how you are going to decide about the on-going operational changes to how the software will be used in your practice.
Identify in the EMR software who is the primary (or default) healthcare provider for each patient. Talk with your software vendor how best to record this.

It’s never too late to start! If you missed creating an Information Management Agreement or Data Sharing Agreement in your group practice, do it now!

See the Digital Resources for samples that you can use.

Clinic on the Infographic to download

Download our Infographic, “What is an IMA?”

Watch the Video

business arrangement agreement, data sharing agreement, Health Information Act, HIA, IMA, information manager agreement, information sharing agreement, PIA, Practical Privacy Coach, Privacy Impact Assessment

Privacy Impact Assessment (PIA)

Posted on May 1, 2017 by Jean Eaton in Clinic Manager / Privacy Officer, Established Practice, New Practice, Services, Vendor

Does your medical practice collect personal health information?

If so, you may need to conduct a Privacy Impact Assessment (PIA).

The Health Information Act requires health providers to complete a Privacy Impact Assessment when you:

open a new clinic
establish a new health services program
change how you collect and use personal information
implement Electronic Medical Records (EMR), or transition to a new EMR provider
share information with a Primary Care Network or other health program
access health information from Netcare or other data repositories

Information Managers' Privacy Impact Assessment (PIA) consultation helps you document your practices, meet practice management best practices, and ensure compliance with regulatory legislation.

The PIA consultation includes reviewing your current practices, documenting current or new privacy and security policies and procedures, information flow, legal authority analysis, risk assessment, and Privacy Impact Analysis. Contact us and we’ll take a look at your current office practices and let you know how we can help make your workload easier, your information secure, and meet regulatory compliance.

The ABCs of Privacy Impact Assessments

What do you know about Privacy Impact Assessments (PIAs)? If you have implemented an electronic medical record (EMR ) funded through a provincial program, you have probably had to go through a PIA. It was probably time consuming to some degree, but perhaps not as bad as you thought. Jean Eaton is a consultant and expert on Privacy Impact assessments in the medical office. She explains in this blog post, The ABCs of Privacy Impact Assessments, what you should expect when required to undertake a PIA.

Listen to the podcast with Dr. Alan Brookstone of Canadian EMR.

Document Management Tip: What is a Privacy Impact Assessment?

YouTube video: What is a Privacy Impact Assessment? Who needs a PIA? How can I tell if I have a PIA? Information about privacy impact assessments in Canada. Additional details for Alberta and Health Information Act, HIA, OIPC.

Having problems viewing the video here? Watch it on our YouTube channel: What is a PIA?

Computer Network Vendors and Privacy Impact Assessment

Video especially for vendors that supports healthcare practices

E-course: Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments

A PIA should be as common place to a healthcare practice as a business plan is to a business. BUT most healthcare practices don’t know this and often don’t know that a PIA is usually part of their professional college requirements and often even a legislated requirement! Prevent malicious errors, omissions or attacks that could result in fines and even jail time for the business, healthcare provider, employee, or vendor by completing a PIA.

If your Privacy Impact Assessment was written more than 2 years ago this e-course is for you

The Clinic Manager and Physician Lead and Privacy Officer must ensure its content is updated to reflect the current state of administrative, physical and technical controls.

BONUS! Checklist to update your PIA to meet recent changes to Alberta’s Netcare Portal. If your practice has completed a PIA and now you need to update the PIA, you receive a checklist of items that you need to consider to refresh your PIA.

If you a vendor that supports healthcare practices this e-course is for you

BONUS! One hour tele-consult with Jean, “Create a branded Privacy Impact Assessment Readiness Package”. Jean will work individually with you to review your documentation and coach you on how to prepare the package to give to healthcare practices.

BONUS! Vendor PIA live webinar includes Vendor non-disclosure agreement, Information Manager Agreement, GAP Analysis, Computer Network Narrative templates.

Jean has helped hundreds of physicians, chiropractors, pharmacists, and other healthcare providers complete their Privacy Impact Assessment. She has visited hundreds of practices across Canada. But time and geography limit my ability to visit each healthcare practice that needs a PIA. That’s why I developed this on-line interactive course to help you learn everything you need in order to review, amend, or create your own PIA. Each module includes a weekly live webinar, as well as templates, tools, resources and two common case studies to build on each week. You can use these scenarios to guide you through the PIA process.

You know your practice better than anybody else. If you had the right tools, at the time most convenient for you and a mentor to help you, you can develop good office practices, meet legislated and college requirements, and successfully complete your Privacy Impact Assessment requirements.

Consult, electronic medical record, EMR, health, healthcare, medical, Netcare, PIA, PIA completed, PIA templates, Privacy Impact Assessment

Do You Need a New PIA When You Open a New Location?

Posted on August 30, 2016 by Jean Eaton in Blog

Congratulations! You are expanding to a new location!

Do you have a PIA for that?

When a physician or another healthcare provider opens another location and both locations are remarkably similar – same employer, same ownership, same EMR and backup practices, etc. – then you may need to only update or amend your original Privacy Impact Assessment.

My recommendation is to review the ‘Clinic Description’ of the initial Privacy Impact Assessment and edit and update all changes.

This will help you to determine if they need a new Privacy Impact Assessment for the new location. If you have a lot of updates – you might need to prepare a Privacy Impact Assessment Amendment and include the information about your new location.

If there are no significant changes, then it may be sufficient to update the clinic description for both clinics, add the additional description of the new clinic and send a Privacy Impact Assessment Amendment to the OIPC. This can often be a letter with an attachment of the updated clinic description.

Most clinics have had, at least, a change in staffing, physicians, and privacy officers.

Has the legislation changed?

Don't forget to consider when the original Privacy Impact Assessment was completed. If it was prior to 2014 then you will need to update your policies and procedures including the amendments to Alberta's Health Information Act and Alberta Electronic Health Records Regulations.

For more information about PIA's see our introductory video.

amendment, Health Information Act, PIA, Privacy Impact Assessment

Protected: Module 5: Complete your PIA Submission

Posted on February 6, 2016 by Meghan Davenport in PIA E-Course 3

healthcare, PIA, Practical Privacy Coach, Privacy Impact Assessment

Are You a Vendor That Supports Healthcare Practices?

Posted on January 14, 2016 by Jean Eaton in Blog

New healthcare business needs IT solutions and asking if you have a PIA

(what will you do about it?)

Healthcare practices throughout Canada and the US need IT services and have money to buy new hardware, software and service contracts. They also need a Privacy Impact Assessment (PIA) and want to work with a vendor who is PIA prepared.

Vendors are required to comply with the healthcare providers ‘PIA's and their privacy, confidentiality, and security best practices.

“A PIA should be as commonplace to a healthcare practice as a business plan is to a business.”

-Jean L. Eaton, Your Practical Privacy Coach

BUT most healthcare practices don't know this and often don't know that a PIA is usually part of their professional college requirements and often even a legislated requirement! Developing a PIA and the supporting policies and procedures will help a healthcare practice to prevent gross errors, omissions or attacks that could result in fines and even jail time for the business, healthcare provider, employee, or vendor. A vendor that supports healthcare practices must:

Understand the PIA process and the healthcare customer needs
Understand the requirements of legislation (for example, Health Information Act Regulations, Electronic Health Records Regulations, HIPAA, etc.) that the clinic must follow, it includes technical safeguards to protect privacy and confidentiality and security of patients' health information.
Makes sure that vendor's business practices meet privacy and safety legislation. This is an excellent opportunity for the seller to lead by example and demonstrate how to implement and follow best practices. This includes:
Having a named Privacy Officer
Implementing an internal privacy and security incident management program
Implementing a privacy awareness program for all of your employees
Providing an Information Management Agreement (IMA) or Business Agreement (BA) to the healthcare provider that meets regulations.

Not every healthcare practice knows all of the technical, physical, and administrative safeguards that should be in place to prevent the risks of unauthorized access, use, or disclosure of sensitive health information. A vendor that understands the requirements can make better recommendations for the healthcare practice. In fact, the experienced vendor can:

Create a premium value-added service to guide all new clinics with step by step instructions about the regulations and requirements of the service and
Profile how the vendor can best support the healthcare practice
Create more sales and help more customers by providing the services they need (even if they don't know it, yet!).
Coach the healthcare practice early in the sales process about how the vendor's services can support the healthcare practice. This results in less work and headache for both the practice and the provider.

Do you want to become the preferred vendor in this large customer niche?

You need to learn what the healthcare business needs to successfully complete their Privacy Impact Assessment. Then you can develop branded PIA Readiness Plan for your business that you can give to the healthcare provider to support them to create their PIA.

Have you seen this?

IT vendor Privacy Impact Assessment Readiness Plan

Brought to you by Jean L. Eaton, Your Practical Privacy Coach

Join Privacy Nuggets and get some more tips, tools, and templates that you can use right away to improve your privacy management program.

BA, health care, healthcare, IMA, IT vendor, PIA, Practical Privacy Coach, Privacy Impact Assessment, Privacy Impact Assessment Readiness Plan, vendor

Mandatory Privacy Breach Reporting is Coming to Alberta!

You need to know how mandatory privacy breach reporting will affect you!

Join us for this Free webinar

Recorded LIVE Thursday July 26, 2018

Register for the FREE Live Webinar Replay!

Check your email for the link to the webinar!

“When we know better, we can we do better.”

Click To Play

Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments – A Complete Step-by-Step Course

“When we know better, we can we do better.”

Join us for this 30-minute interactive webinar

12 Noon MDT

The replay is ready! Register for the FREE 30 minute Webinar recorded live!

Check your email for the link to the webinar!

“When we know better, we can we do better.”

In this Q&A, we're talking about:

How long does it take to do a PIA?

I’m opening my practice next month.

I just learned that I need to complete a Privacy Impact Assessment.

What do I do now?

Here’s What You Need to Know About the Timelines Required to Complete a Privacy Impact Assessment

Start With Privacy and Security Policies and Procedures

Guidance for Electronic Health Record Systems

If You Are a Vendor That Supports Healthcare Practices

Don't Wait!

Want more content like this?

In this Q&A, we're talking about: Does a Dentist Need a PIA?

I’ve had a dental practice for 10 years. Do I need a PIA?

Want more content like this?

Prenuptial Agreement

Who is an Information Manager?

Avoid surprises – and nasty exits

Watch the Video

Does your medical practice collect personal health information?

If your Privacy Impact Assessment was written more than 2 years ago this e-course is for you

If you a vendor that supports healthcare practices this e-course is for you

Congratulations! You are expanding to a new location!

Has the legislation changed?

New healthcare business needs IT solutions and asking if you have a PIA

(what will you do about it?)

Do you want to become the preferred vendor in this large customer niche?

Have you seen this?

Brought to you by Jean L. Eaton, Your Practical Privacy Coach