Best Computer Service Support Options for Your Small Healthcare Practice

Posted on August 30, 2022 by Izza Nuguit in Blog

What is the Best Computer Service Support for Your Small Healthcare Practice?

Many healthcare providers starting their first practice are ‘bootstrapping’ their business. They don’t have external investors in their business. Business owners are balancing what can they do themselves and what services to hire from someone else.

Today, we will strategize how to implement technology in your healthcare practice and have a look at the different options available to you to select the best computer service support for your small healthcare practice.

Should You Do It Yourself?

When starting your own healthcare practice, it can be tempting to try to save costs by trying your hand at a DIY approach for managing the hardware and software required to run a practice.

That might work for a while. But soon, you will want to look into your options for outsourcing some of this.

When outsourcing your information technology (IT) need, it’s important to remember that you are ultimately responsible for managing the collection, use, security and safeguards for all personal information that you collect and control.

Let me help you with some definitions, terminology, resources to help you manage your computer network system and to determine what services are best suited for your needs.

We’ll have a look at:

Internet Service Providers
Managed Service Providers VS Managed Security Service Providers
Hardware as Service
Value Added Resellers
Cloud Service Providers
Software As A Service (SaaS), and
Remote Monitoring and Management Tools

Keep reading to find out the differences of these.

What is an Internet Service Provider (ISP)?

Internet service providers are likely the service on this list you are already most familiar with-–after all most of us deal with them in our personal lives, as well as in our professional lives.

These are companies which provide services which allow us to access the internet.

Unfortunately, some people assume that their ISP is also providing network security at the same time, which is simply not the case the majority of the time.

Something as simple as not changing the default password on your modem or wireless router can lead to vulnerabilities in your network. Right away, many DIY business owners are starting to feel the pinch about not knowing enough about IT to keep their practices secure.

There are some internet service providers also now offering managed service provider system as well. If you choose to go this route, ensure that you have a clear understanding about what they can and cannot do and documentation to show what exactly what is included in your fees.

Managed Service Providers (MSP) and Managed Security Service Providers (MSSP)

The definition of Managed Service Provider (MSP) is:

A MSP delivers services, such as network, application, infrastructure and security, via ongoing and regular support and active administration on customers’ premises, in their MSP’s data center (hosting), or in a third-party data center.

MSPs may deliver their own native services in conjunction with other providers’ services (for example, a security MSP providing sys admin on top of a third-party cloud IaaS). Pure-play MSPs focus on one vendor or technology, usually their own core offerings. Many MSPs include services from other types of providers. The term MSP traditionally was applied to infrastructure or device-centric types of services but has expanded.

– Gartner's Information Technology Glossary

Managed service providers are a great option for end users without the technical expertise required to manage their own networks.

If considering an MSP, you may consider referencing the Risk Considerations For Managed Service Provider Customers document put out by the Cybersecurity and Infrastructure Security Agency which outlines risk considerations organizations need to consider when they partner with a MSP.

MSP vs MSSP

Managed Security Service Providers (MSSP) provide security monitoring and management services to organizations to ensure they are protected from cybersecurity threats.

The types of services MSSPs can offer include threat monitoring and intrusion detection, firewall management, patch management, endpoint protection, and penetration testing as examples.

An MSP ensures your IT systems are operational, but a MSSP offers true security as a service, ensuring your people and systems are safe, secure and compliant.

Managed Services are a good way for businesses to get a high-quality IT service at a predictable monthly cost, instead of having to manage everything themselves, in-house.

What is Hardware as a Service?

Hardware as a Service allows customers to outsource the procurement, installation and support of their IT hardware, at a fixed and predictable monthly cost. Companies who use Hardware as a Service benefit from knowing any issues with their hardware will be diagnosed and fixed by the provider, without having to guess at the cost of the repair.

This is a convenient way of getting the best hardware without having to spend much cash upfront. The service model is similar to leasing or licensing whereby a business obtains IT hardware from a company, and the terms are dictated by a Service Level Agreement (SLA). In the case of hardware breakdown or any hardware becoming obsolete, the hiring company is responsible for repairing or changing it. Hardware as a Service can be provided by a managed service company or as a stand-alone service provided to businesses who are looking to acquire IT hardware.

Typically, these vendors do not provide ongoing monitoring, updates, and patch support to your network.

What is a Value-added Reseller?

A value-added reseller takes existing hardware, adds features such as third-party software, and then sells it at a markup to the end user.

The biggest difference between VARs and MSPs is the term of their involvement with the end user. VARs generally operate on a transactional basis (per license or seat), or a short-term contract. By contrast, MSPs operate on longer-term annual or multi-year contracts, and the tenure of their relationship is open-ended.

What is a Cloud Service Provider (CSP)?

CSPs offer access to technology and infrastructure that they own. This may be part of your digital transformation plan.

You’ve likely heard of some of the more popular cloud service providers, such as Amazon Web Services, Microsoft Azure and Google Cloud Platform.

If you choose to use a cloud service for storing information, you’ll want to do some due diligence to determine the security the service has in place, where the information is stored, and to avoid services which have servers outside of Canada. Even when you use a CSP, you are still responsible to ensure that your local computer environment is secure. This is referred to as a Shared Responsibility model.

What is the Software As A Service (SaaS) Business Model?

SaaS is a type of CSP. The vendor provides a software on their data centre and you remotely access the software and use it on your device. Examples of this includes Microsoft Office 365, Google Workspaces, and even some electronic medical record (EMR) and electronic dental record (EDR) service providers.

If you’re using a service such as this, the same security caveats which come with cloud services need to be considered such as where the servers storing the information are located.

Privacy, confidentiality, and security of personal information is a shared responsibility whether it is on your device or an outsourced service.

You must properly configure your SaaS so that it is properly securing your data, and communication between yourself and your vendor is critical to understanding the shared responsibility of securing the data.

As the end user, you are responsible for security ‘in’ the cloud. This includes the responsibility of:

Collecting and maintaining the customer / PHI data
Identity and access management (IAM)
Application management
Operating system and firewall on your devices
Client side data encryption, data integrity, authentication
Server-side encryption
Network traffic management

Remote Monitoring and Management Tools (RMM)

Many MSPs, and some internal IT teams, use a remote monitoring and management tool (RMM). This is the software put on the workstations and servers, primarily. These tool report back to the RMM server and provides data so that the MSP can monitor and manage the system.

The tool allows the MSP to see issues such as:

When software needs to be updated
If computer needs to be rebooted
That there was an error in a system log that needs to be addressed.

All of this happens behind the scenes and allows the MSP to manage your system remotely.

The issue with RMM is that the software has the ability to fully control your computers so these RMM tools need to be secured.

If not secured properly from internal threats as well as external threats and a bad guy is able to get into your MSP’s RMM, they now have access to every single client network—including yours!–that the MSP manages. And that is a bad, bad day!

Vet Your Vendors for the Best Computer Service Support Option

Most healthcare providers start with a DIY approach to their computer network. Over time, your needs will change. It is good practice to meet regularly with your vendors to re-visit your IT strategy.

Your best computer service support option during your start-up phase will likely be different as your business matures.

When you select the right outsourced service to support your healthcare practice, you will improve your practice management efficiency and privacy compliance.

Remember to vet the vendor before you enter into a service agreement and Information Management Agreement.

See the Practice Management Nuggets Podcast for Your Healthcare Providers, What Healthcare Practices Should Know About Vendor Vetting And Accountability | Episode #085 with guest Expert Donna Grindle for tips to help you with this step.

Join Practice Management Success Today!

As a healthcare provider, you need to stay on top of changing trends and technologies that impact privacy compliance and efficient practice management.

Changing technology and properly managing computer systems is just one aspect of that.

Practice Management Success offers you access to tools, templates, tips, and training to help solve common problems which may come up in your practice.

It's kinda like having a clinic manager mentor (or a Jeannie) on Zoom!

Become a member of the Practice Management Success Membership!

digital health, healthcare practice management, privacy

How Does Unique User ID Protect Patient Information In Your Practice?

Posted on August 18, 2022 by Izza Nuguit in Blog

Why You Need Unique User ID In Your Healthcare Practice

When you’re setting up computer systems for your healthcare practice, start by ensuring that every user has a unique user identity (user ID).

Sharing login credentials for everyone on your team can lead to compromised account security, which makes you more vulnerable to phishing attempts, and leads to a greater risk of sensitive information getting into the wrong hands.

Today we’re going to look at why you need to ensure everyone on your team who requires access to IT systems has their own unique user ID and login credentials.

What is User ID?

The user ID or username that you create when you are granted access to a computer network or software application should be unique to the user (not shared). The user ID is persistent—that is, it doesn’t change.

While a user ID needn’t be as complex as a password, you want to avoid an easily guessed or spoofed name. Instead, create a user ID that is reasonably short and uses a mix of letters and numbers and special characters. The system should not allow duplicate user ID’s and may have additional criteria about what the name can include.

Sometimes, the user ID appears linked to the content that you enter. For example, the username might be associated with a clinic note you enter in the electronic medical record, internal messaging, or even a blog post.

You can think of the user ID as your digital signature that uniquely identifies the computer user.

You may also have certain programs or additional software, applications, and data, including sensitive information, personally identifying information (PII), and personal health information (PHI) which require an additional unique user ID and password.

Don’t Share Your Unique User ID!

Individuals are responsible for their unique user ID. A user ID is important to provide non-reputability for the user. It ensures that the user cannot deny having taken a particular action.

For example, in an office computer, a user ID would be used to login to the system. Once the user is logged in, they can view their personal folders, shared folders, access to printers, and so on. If the user were to deny accessing and printing a particular file, the user ID would prove that they had indeed accessed and printed the file.

Layers of Protection Is Better

A two-step process that requires the user to enter their unique user ID to access a computer or device, and another unique user ID to access a program like an EMR, is an example of a dual login. This added level of security ensures that an authorized user has access to both the local device and the software.

Multi-factor authentication (MFA) is a better level of security. Again, this starts with entering a unique user ID on the device, a different unique user ID to access specific software, and a token or code that is sent to the user. The user must enter the code into the software prior to access granted. The goal of this authentication intent is to make it more difficult to access devices or applications without the subject’s knowledge, such as by malware on the endpoint.

MFA is a core component of a strong identity and access management (IAM) policy. It all starts with having a unique username, password, and an additional verification factor, which decreases the likelihood of a successful cyber attack.

79% of organizations have experienced an identity-related security breach in the last two years [Identity Defined Security Alliance] and 61% of all breaches resulted from stolen credentials, whether through social engineering or brute force attacks. [Verizon Data Breach Investigations Report].

Why You Need Unique User ID In Your Healthcare Practice

Benefits of enforcing unique user ID for every user include:

Tracking user activity and manage overall operations on a particular system, network or application.
Improved security, decreased likelihood of inappropriate access, reduced errors, reduced malicious actions internal and external to the business.
Avoidance of fines and sanctions, under privacy legislation.

My EMR / EDR Has Unique User ID. Isn’t That Good Enough?

Many healthcare practices have not yet implemented a unique user ID policy. Instead, they rely on the electronic medical record (EMR), electronic dental record (EDR) or other practice management software (PMS) system to require unique user ID to access this sensitive data.

This simply isn’t good enough. Locking the back door while the front door is unlocked is not a sufficient deterrent to prevent unauthorized access to your systems and the information that it contains.

I’m certain that there are other sections in your computer files where sensitive information (employee, business, and/or patient information) is maintained. This needs to be protected by identity management and audit tracking, too.

The extra layer of protection of having unique user ID to access your computer system AND another unique user ID to access your EMR / EDR is a reasonable safeguard. Alberta Netcare, NIST, and privacy regulations recommend this minimum standard.

In IBM’s Cost of Data Breach Report 2021, compromised credentials were responsible for 20% of breaches.

Having shared user accounts (instead of unique user ID) increases the likelihood that the user credentials will be compromised and may result in a privacy and security incident.

The IBM report also identified that a zero trust approach helped reduce both the likelihood and the cost of a privacy and security breach. Zero trust means that everyone accessing electronic data must use strong authentication and authorization at all times. In short, don’t assume that because the user is accessing a computer at a specific location, that the user is authorized to access the computer.

Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.

Make It Easy To Implement Unique User ID Policy

Businesses should use business-grade computer hardware and software for their computer networks and mobile devices. Select operating systems that make it easy to create and manage user accounts. Ensure that user activity audit logging is enabled.

You might be ‘pretty good’ at managing a computer. However, I recommend that healthcare providers, clinic managers, and business owners contact a local computer network technician or managed service provider to help you properly set up user management. Protect your patient’s information and your practice with good computer user management.

Join Practice Management Success Today!

As a healthcare provider, you need to stay on top of changing trends and technologies-–not just those related to your work, but things in the world which can affect how you manage your practice and patients.

Changing technology is a huge part of that world, and properly managing computer systems is just one aspect of that.

Become a member of the Practice Management Success Membership!

Practice Management Success offers you access to tools, templates, tips, and training to help solve common problems which may come up in your practice.

It's kinda like having a clinic manager mentor (or a Jeannie) on Zoom!

digital health, healthcare practice management, privacy, security

Alberta’s New OIPC Commissioner

Posted on July 30, 2022 by Izza Nuguit in Blog

Alberta’s New OIPC Commissioner

The Select Special Information and Privacy Commissioner Search Committee recommends the appointment of Diane McLeod as Alberta’s Information and Privacy Commissioner effective August 1, 2022.

The next time that you correspond with the AB OIPC office, make sure to change the following names in your templates:

Change the name of the outgoing Commissioner, Jill Clayton, and replace with the name of the new Commissioner, Diane McLeod.

More details are in the news release from the Office of the Information and Privacy Commissioner here.

What Does the Alberta OIPC Do?

The Commissioner is an agent of the Legislative Assembly of Alberta. This is not a government department nor is it a department under Alberta Health Services.

The mission of the Office of the Information and Privacy Commissioner of Alberta (OIPC) is to advocate for the access and privacy rights of Albertans, to ensure that public bodies, health custodians and private sector organizations uphold the access and privacy rights contained in the laws of Alberta, and to provide fair, independent and impartial reviews in a timely and efficient manner. OIPC of Alberta

There is a similar role in each of the provinces in Canada.

When to Contact the Alberta OIPC Commissioner

If you are in Alberta and you are a custodian (including physicians, dentists, chiropractor, podiatrist, optometrist, pharmacist, RN and others) you might need to contact the AB OIPC Commissioner in any one of these scenarios.

You are submitting a new Privacy Impact Assessment.
You have a change in custodians in your practice (a custodian moves, retires, or you add a new custodian to your practice.)
You have experienced a privacy breach in your practice and must inform the Commissioner.

If you are a resident of Alberta, you might contact the Commissioner if

You have a complaint about how a business manages your personal information. Ideally, you will bring your complaint to the privacy officer of the business first, before filing a complaint to the OIPC. Ideally, you will bring your complaint to the privacy officer of the business, first, before filing a complaint to the OIPC.

There are other situations that may arise that you may need to contact the OIPC. The Commissioner performs the responsibilities set out in Alberta’s three access to information and privacy laws:

Freedom of Information and Protection of Privacy Act (FOIP)
Health Information Act (HIA)
Personal Information Protection Act (PIPA)

The Commissioner checks or regulates that the businesses to whom the above legislation (and others) apply works according to these laws.

The OIPC website has many resources and reports available to better understand your roles and responsibilities regarding the collection, use, access, and disclosure of personal information.

Do you have questions about privacy compliance and practice management at your healthcare business? I’m happy to help you!

Email Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor to book a quick, 10-minute call with me.

OIPC Commissioner, privacy

Your Patient Requests To Record Their Appointment With You

Posted on July 29, 2022 by Izza Nuguit in Blog

Your Patient Requests To Record Their Appointment With You – What Does This Mean For You, As A Health Care Provider?

Often, doctors’ visits are fairly straightforward.

When there are no major concerns or new diagnoses, it can be in and out quickly, and with little fuss.

There are times, however, when visiting the doctor can be overwhelming for patients.

When a patient is receiving a new diagnosis, for instance, it often comes with instructions for how to best manage their condition, dietary restrictions, or exercises they need to perform in order to help them achieve a better outcome.

In cases like this, some patients may request to record their conversations with you, their healthcare provider.

The first time you receive a request like this, it may seem surprising.

With technology such as smartphones, it’s becoming easier and easier for people to make these recordings so it’s best to be prepared for it.

Let’s have a look at the things you need to consider when it comes to patients who ask to record their appointments.

Why Do Patients Want To Record Conversations?

A patient may request to record a conversation for several reasons.

Some of these may include:

More accurate sharing of health advice and instructions with other family members or caregivers who help them manage their diagnosis
Allows for better communication between you as a healthcare provider and your patients
Improved compliance with instructions, as they will refer to the recording

Benefits To Recording Patient Appointments

Each of these reasons ultimately has the effect of potentially helping improve compliance with your instructions, and thus improving patient outcomes.

“71% of patients listened to their recordings, while 68% shared them with a caregiver.” – The Dartmouth Institute for Health Policy & Clinical Practice

Unfortunately, anytime you are recorded, there is the potential drawback that recordings could be used inappropriately.

Some inappropriate use of recordings by patients may include:

Recording without the consent of the healthcare provider.
Recording information (audio, visual) of other persons, including patients, visitors, or other employees.
Sharing of recording inappropriately on social media.
Security of the recording may be compromised, which may negatively affect the patients’ and the healthcare providers’ privacy.
Patient’s recording of the healthcare visit may be used against the healthcare provider in a complaint process.

As you can see, there are both benefits and drawbacks to allowing recording of conversations with patients.

Now we will look at the next steps when you allow recording and when you would prefer to not be recorded.

I’ve Agreed To Be Recorded – Now What?

If your patient has requested to record your session, and you’ve agreed, there are some things which will need to be discussed before moving forward regarding appropriate use of recordings.

The patient usually requests permission to record at the beginning of the encounter.

Discuss and agree to the terms of the recording, for example:

• How the recording will be made
• How a recording will be made available to the patient’s health record
• Identify (name) who will be included in the recording and ensuring that the privacy of other people is not affected
• How follow-up questions will be managed.

Document the Encounter

You, as the healthcare provider, may make the recording, keeping a copy for the health record, and share the recording with the patient. Or, you may make a separate recording at the same time of the patient and add the recording to the patient’s health record.

If you will also make a recording, the patient is required to consent in writing to the recording. Include the patient’s consent in the patient’s health record.

In addition to the clinic notes you may make:

Securely maintain the audio recording in the patient’s health record or in a digital audio file format securely stored on the computer network.
In the patient’s health record clinic note, include the link to the computer file with thee recording.
The healthcare provider will record in the clinic note:
- The conversation was recorded – by whom and who has control of the audio file.
- Consent was obtained (if applicable)
- Summary of the conversation

What If I Don’t Feel Comfortable Being Recorded?

If a patient requests to record your session, you may choose to decline their request.

This may just be because you are working to implement policies and systems surrounding recording, but they aren’t quite in place yet.

If a patient request to record your session, and your decision to decline, you will need to make a note of the request, as well as your grounds for denying it, in the patient’s clinic notes.

If the patient is worried about being able to remember of follow instructions, some alternatives to recording may include:

Provide the patient with information resources including paper handouts, advice documents, or on-line audio or video advice and information resources.
Allow the patient to invite a trusted family member, friend, or care provider to accompany the patient during the patient’s health care visit.

Workflow Patient Record Appointment

Join Practice Management Success Today!

Changing technology is a huge part of that world, and the growing use of cell phones to record conversations is just one aspect of that.

Be prepared when patients ask permission to record their visits with you. Grab the procedure and patient request form template that you can use right away! Become a member of the Practice Management Success Membership!

Practice Management Success offers you access to tools, templates, tips, and training to help solve common problems which may come up in your practice.

It's kinda like having a clinic manager mentor (or a Jeannie) on Zoom! ✨

Reference

Canadian Medical Protective Association [Internet]. Ottawa (ON): CMPA 2017 March. Smartphone Recordings By Patients: Be Prepared, It's Happening Retrieved https://www.cmpa-acpm.ca/static-assets/pdf/advice-and-publications/perspective/com_17_perspective_march-e.pdf

The Dartmouth Institute for Health Policy & Clinical Practice. “Can patients record doctor's visits? What does the law say?.” ScienceDaily. www.sciencedaily.com/releases/2017/07/170710135301.htm (accessed July 23, 2022).

digital health, healthcare practice management, privacy

Should You Use Encrypted Emails In Your Practice?

Posted on June 27, 2022 by Jean Eaton in Blog

Should You Use Encrypted Emails In Your Practice?

There are many jokes around these days like “Fax machines? Who still uses those? And why are you still using fax machines? It’s the 2020s, not the 1990s!

People who don’t use them regularly may not realize it, but there are still many places which still use fax machines today—from legal offices, to governments, and yes—doctors offices.

This is because fax machines are much more secure than electronic networks such as email.

One doctor’s office asks: As healthcare professionals, we routinely send our referring physicians a report of the patient’s progress by fax. One clinic would like us to send the reports to them using their encrypted email link instead of fax.

Can we do that?

Today we’ll look at the pros and cons of switching to encrypted email as a method to securely send personal health information and try to answer this question.

What Are The Issues With Email?

First, we need to look at regular, non-encrypted email.

Grant Dakin, President of Solid Technology Solutions reminds us:

“When it comes to sharing sensitive information via email it should always be assumed that it is insecure. Basic email is generally open text, and to many email servers out there, especially on the public side, are not setup to handle encrypted email protocols.”

Even if your email service provider offers message encryption while a message is traveling between computers, this often does not apply on either end, and the message in the outgoing sent box and incoming inbox are often left unencrypted and vulnerable.

If information is not appropriately sorted once it arrives in the recipient’s inbox, there may still be issues with storing information in your email.

If the sender and the receiver do not appropriately manage their in and out boxes to ensure that it has limited information, appropriate access to only the right persons, and has been securely deleted, you have only addressed part of the problem.

When sending information to another clinic or doctor’s office, you may ask what practices does the other clinic have for storing information?

The same questions are important for patients as well:

Does the patient have access to a computer where they can download information?
Are they using a personal computer or an employer’s computer?
Do they have a secure place to access the information?

These are all things which need to be taken under consideration before you send personal information by email in your healthcare practice.

Why Are Some People Switching to From Faxing?

So, a referring partner who typically sends the consultation report to you by fax now wants to send it to you by encrypted email.

It’s not uncommon for places to want to upgrade their technology.

Fax machines can be large and clunky, and using encrypted email for consultation reports, referral requests, and more can be attractive to streamline operations. Many people feel that fax machines are obsolete. In early March of 2021, the Government of Ontario announced it would phase out its use of all fax machines by the end of the year.

However, there isn’t a common alternate communication standard across healthcare, private, and public users that is as common as the fax machine.

There have also been numerous privacy breaches in healthcare related to improper use of fax machines. For example, in the Ontario Information and Privacy Commissioner’s 2020 Annual Report, the IPC found that, in 2020 about 58 per cent of breaches experienced by health information custodians were caused by misdirected faxes.

How Does Encrypted Email Work?

Encrypted email works using an encryption key.

What is Encryption? Encryption is a method to disguise a message into a secret code. Only the people that have the ‘key’ to the secret code can un-scramble the message so that it can be read.

In order to use them, both the sender and the receiver need to have a key—the sender uses it to encrypt the message before sending it, and the receiver needs a key to decipher the message.

Grant Dakin explains: “Encrypted email services are a third-party service that will securely store the message, typically a secure web page, until a verification process is completed. This is key. The recipient needs to prove their identity to be able to view the message. At minimum, this can be a username / password challenge using a verified recipient owned email address. When possible, it is recommended to have multifactor authentication (MFA) employed. The use of MFA is dictated by compliance requirements, the type of information and your user base.”

This might seem overly complicated if you’re not used to using encryption services, which may not be an issue when sending information to another clinic, especially if they’re the ones who suggested using encrypted email.

Encrypted Email Process Diagram

When it comes to sending information to patients, especially those who aren’t very tech savvy, you need to consider if encrypted email is the right option.

Things to Consider When Implementing Encrypted Email

If you’re considering implementing encrypted email into your practice, you’ll want to first do a risk assessment, which should include:

Discussions with IT vendor / Managed Service Provider
Assess the reputation of the encryption vendor
Does the encrypted email meet industry compliance requirements?
Review your existing policies and procedures
Update those policies and procedures as required
Approval from Privacy Officer / Custodian / CEO
Prepare / update your privacy impact assessment (PIA)
Training for your staff on how to use the encryption software
Is there a verification process to ensure that the right person is viewing / accessing the information?
Verify that there are encryption protocols being used (If retrieving from a browser, verify that there is a valid SSL certificate)

For further guidance on choosing an encrypted email service, Grant Dakin offers the following:

“When looking for an encrypted email service, be certain that the service provider can demonstrate compliance. Most third-party providers base their compliance on HIPAA, which is a US based compliance, but it is very much in line with Alberta's Health Information Act (HIA) and our various Privacy Acts. For us, at SolidTech, the most common encrypted email service provider that we deploy would be Microsoft 365, which is HIPAA / HIA compliant, providing it is set up properly.”

Consider also that if you send information via encrypted email, there will probably be a learning curve for the receiver of the information as well. You may want to offer a basic outline to patients who opt to receive email this way about how it all works.

It may seem surprising at how much time it takes to appropriately and correctly implement an email encryption service in your healthcare practice. But if you will “axe the fax” and discontinue the use of a fax machine, you need to complete a risk assessment and plan an alternate solution.

What Else Can I Use, Instead of Encrypted Email?

If you aren’t ready to make the jump to encrypted email systems but want to get away from using fax machines in your practice, there are alternatives to encrypted email to consider.

Some of these include:

Portals from electronic medical record (EMR) systems
Sharing networks
Secure messaging

PrescribeIT^® enables prescribers to electronically transmit a prescription directly from an electronic medical record (EMR) to the pharmacy management system (PMS) of a patient’s pharmacy of choice. See the blog post, “Using PrescribeIT To Streamline Your Workflow”.

Any changes to how you send personal information, whether to patients or other clinics can’t just be a unilateral decision on your part.

Just because you’re ready to make a change, it doesn't mean that the recipients are ready to receive it in that way. You must communicate with your partners and patients about your plans and ensure everyone is on board.

Furthermore, it’s always good to have a business continuity plan in case your chosen method ceases to work as expected.

I’m Ready To Implement Encrypted Email—What’s Next?

If you think encrypted email might be the right choice for your practice, you might wonder, “What next?”

Getting started with a change like this may seem overwhelming, but you don’t have to do it alone.

Connect with Grant Dakin of Solid Technologies Solutions Inc.

Also see, “Texting with Patients; Can You Use Text Messaging With Patients?”

digital health, healthcare practice management, privacy

Why You Need Policies and Procedures

Posted on March 15, 2022 by Jean Eaton in Blog

Why You Need Health Information Policies and Procedures

Maybe you’ve heard you need written policies and procedures for your health information, but you’re left asking yourself why it’s so important?

The truth is, without written policies and procedures, you open a healthcare practice up to a whole host of problems, including major legal issues.

In fact, every business needs good practices that apply to your:

Information that you collect from patients/clients
Website
Email
Business practices including electronic (or paper) patient records, and computer network
Financial information
Billing, collection, and payment processing

Within the healthcare industry, there are additional legislation requirements that require specific written health information policies and procedures.

The Health Information Act (HIA) and the Personal Information Privacy Act (PIPA)

As we mentioned, when a custodian collects health information, you must follow the Health Information Act (HIA) in Alberta.

Like most other private businesses in Alberta, private healthcare practices must also comply with the Personal Information Privacy Act (PIPA).

The colleges of regulated health professionals (like the Alberta Dental Association and College (ADAC) and the College of Physicians and Surgeons of Alberta (CPSA), require dentists and physicians to meet the standards of practice which includes compliance to HIA and PIPA legislation.

In addition, the college has other standards of practice that you must meet, including policies and procedures for the collection, use, disclosure, and access of health information.

So, let’s explore further why written policies and procedures are so essential, as well as what can happen without them, and why healthcare practices may not think they need them in the first place.

Benefits of Policies and Procedures

One of the most critical benefits of having policies and procedures in place is that they’re good for business.

Here’s how:

They contribute to consistent, efficient workflow.
You can figure it out once, write the procedure, tweak it to make it better, and then repeat the same procedure again and again.
They help you make better business decisions, like buying supplies, choosing services, and selecting vendors.
They help support your accreditation efforts.
On-boarding employees the right way with no missed steps is much easier with policies and procedures in place.

If you’re looking for even more proof of the benefits of having written procedures, it can also help you avoid:

Internal disputes within your team and external disputes with your patients and clients
Re-work and re-training employees
Poor customer service
Poor reputation
Fines and penalties

Fines And Penalties For Not Having Written Policies And Procedures

You might be wondering why you would face fines and penalties for not having written policies and procedures in the first place.

The HIA requires the custodian – which includes the physician, pharmacist, dentist or dental hygienist – to take reasonable safeguards to protect the privacy and confidentiality of patients’ health information.

Having written policies and procedures is a common, expected, and reasonable safeguard.

Let’s say you have a privacy breach in your practice or an error (like sending a fax to the wrong number or you are a victim of a phishing or ransomware attack).

You can learn more about what makes a privacy breach a privacy breach here.

If you can’t demonstrate that you had the appropriate reasonable safeguards, like written policies and procedures in place, you are guilty of an offence under the law.

It’s illegal not to have policies and procedures when you collect health information.

If you are guilty of this offence, you are liable for a fine of a minimum of $2,000 and not more than $500,000. (HIA section 107(7)).

3 Policies and Procedures Myths

One reason some healthcare practices fail to have written policies and procedures is because they believe they don’t need them.

Often, this is because they’ve fallen prey to the common myths about policies and procedures.

There are 3 of the common myths that stop healthcare providers and their clinic managers from creating written policies and procedures:

It’s Too Hard

While it does take some skill to write clear, easy to read, and easy to understand policies and procedures, it doesn’t have to be heard. In fact, you can even purchase templates to make this easier.

It Takes Too Much Time

Writing policies and procedures does take some time.

But investing the time to create policies and procedures pays off by preventing suffering from inconsistent or broken procedures, using or disclosing health information in error, and having to pay fines, penalties, public relations nightmares, or spending the time required to run a privacy or security investigation.

It’s A Waste Of Time

Here are a few good reasons that prove writing policies and procedures is not a waste of time:

Practical privacy policies and procedures will create a more efficient practice and help you make better business decisions.
The policies and procedures become the foundation of your privacy impact assessment.
Policies and procedures are pre-requisites for other initiatives, like access to Netcare or other community integration initiatives, and privacy impact assessment (PIA). Click here to learn more about PIAs.
You must have them as part of your legislative compliance.
It’s the law. Not having policies and procedures regarding the collection, use, disclosure, and access of health information is illegal.

As you can see, written policies and procedures help ensure consistent office procedures and good communication between team members in your healthcare practice.

In addition to those good reasons, you must have good written policies and procedures about how you collect, use, disclose, and provide access to health information to avoid legal problems, fees, penalties, and other problems.

Not Sure Which Policies and Procedures That You Need?

Show Me Policy And Procedure Checklist

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies and Procedures Are?

Why Do You Need Health Information Policies and Procedures?

Healthcare Policies And Procedures: Essential in EVERY Practice

New! Health Information Policy and Procedure Manuals

Privacy Impact Assessments (PIA)

Alberta, clinic, custodian, health, Health Information Act, healthcare, HIA, medical, physicians, PIPA, Policies and procedures, privacy, Privacy Impact Assessment, reasonable safeguards

Do You Know Where Your Policies And Procedures Are?

Posted on November 15, 2021 by Jean Eaton in Blog

Do You Know Where Your Policies and Procedures Are?

This is a cautionary tale.

And it could save you a lot of embarrassment – even legal issues.

The way a healthcare provider collects, uses and discloses personal health information (PHI) is critical to an efficient healthcare practice.

It’s also required by legislation and professional college regulations and standards.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. #Policies Click to Tweet

Don't let this happen to you!

Everyone in a healthcare practice — including front office staff, wellness practitioners and physicians and other custodians — must be aware of and follow these policies and procedures.

These policies and procedures also become the foundation of your privacy impact assessment (PIA).

That’s why, in this Privacy Breach Nugget, we’ll review a privacy breach investigation report from Alberta's Office of the Information and Privacy Commissioner (OIPC). Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

This report started with an employee suspected of accessing health information for an unauthorized purpose.

It started with at the clinic with a conflict between the employees and the employer.

An employee (Employee A) was on leave from her position at the clinic. Her access to the electronic medical record (EMR) was suspended during her leave.

Employee A wanted to access patient information to support her dispute with management. Over two months, Employee A used Employee B’s credentials to access patient records.

This action is in contravention of the Health Information Act (HIA) sections 27 and 28.

This is where this case becomes even more convoluted and, in fact, a better case study of what not to do.

Employee Dispute

Understanding the Health Information Act

The Health Information Act (HIA) requires the custodian (the physician, in this case) to take reasonable steps to maintain administrative, technical, and physical safeguards to protect patient privacy as required by sections 60 and 63 of the HIA, and section 8 of the Health Information Regulation.

In November 2013, the clinic submitted a privacy impact assessment (PIA) to the OIPC prior to its implementation of an electronic medical record (EMR).

The PIA included written policies and procedures.

The letter to the OIPC accompanying the PIA was signed by two physicians, as well as Employee A who was the privacy officer at that time.

The physician named in the investigative report is not the current custodian at the clinic. The physician was hired in 2015 and therefore not a member of the clinic in 2013 and not involved in the initial PIA submission.

During the investigation, both employees indicated that the policies and procedures to protect patient privacy were in a binder in the clinic, but it was never used or shared with the staff.

Oaths of confidentiality may have been previously signed by the employees, but the documents could not be produced during the investigation.

Section 8 (6) of the Regulation states the ‘custodian must ensure its affiliates are aware of and adhere to all of the custodians administrative, technical, and physical safeguards in respect of health information.’

It’s common practice for clinics to require employees to sign confidentiality agreements and ensure that they receive patient privacy awareness training with regular updates.

But in this investigation, the employees said they never received privacy awareness training.

Privacy-Breach-Nugget-023-Policies-Procedure-Manual

Show Me Policy and Procedure Checklist

Access To Patient Information

The employees also stated it was common practice at this clinic for individuals to not log off of their EMR account on the computers at the reception desks. It was common practice for other employees to access an open session to quickly perform a task in the EMR.

The investigator concluded that the physician was in contravention of the HIA section 63(1) which requires custodians to establish or adopt policies and procedures that would facilitate the implementation of the Act and regulations.

These specific findings were made:

The custodian failed to ensure the clinic employees were made aware of and adhered to the safeguards put in place to protect health information in contradiction contravention of section 8(6) of the regulation.
The custodian was in contravention of section 8(6) of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to all of the custodian’s administrative, technical, and physical safeguards with respect to health information. It’s important to note any collection use or disclosure of health information by an affiliate of a custodian is considered to be the collection, use, and disclosure by the custodian.
The custodian failed to ensure the employee and the other clinic staff adhered to technical safeguards as required by section 60 of the HIA and section 8(6) of the regulations.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Get Your Privacy Documents In Order

To protect yourself and your practice from patient privacy breaches (and massive fines, see the conclusion to this article), follow these steps.

Find your policies and procedures and review them with all staff and custodians. Make sure you document that this has been done.
Review and update your privacy awareness training and ensure all staff, including custodians, have completed this recently. Make sure you have this documented, including certificates of attendance if available.
Oath of confidentiality documents should be signed by all of all clinic staff and custodians and maintained in a secure location.
Review your privacy impact assessment and ensure all of your current custodians have read this and understand it. Visit this post for more information to help you determine if you need a PIA amendment.

Monitor

This incident occurred in 2016. The OIPC office did not recommend any additional sanctions against the clinic, physicians, or employees.

To get templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership

New Amendments To The HIA

This case might have turned out differently today.

New amendments, as of 2018, provide a provision for fines under the HIA ranging from $2,000 to $200,000.

The public — and our patients — expect and trust us to make sure that their personal health information is kept secure and confidential.

It’s our responsibility to make sure we have these administrative, technical, and physical safeguards in place and are maintained in a consistent fashion.

When you've done the hard work to implement your patient privacy policies and procedures and your privacy impact assessment, make sure you continue your journey and keep these documents up-to-date and current. To help you, sign up for the Practice Management Success Membership.

There are many patient privacy breaches in the news each day, and you never know when it could happen to you.

The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain. If you need to prepare your privacy breach management plan, start your on-line training 4-Step Response Plan right away!

If you need templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership. These tips, tools, templates, and training will help you save time and money to develop and maintain policies and procedures in your healthcare practice.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE Training Video "Can You Spot the Privacy Breach?"

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Why Do You Need Health Information Policies and Procedures?

Healthcare Policies And Procedures: Essential in EVERY Practice

New! Health Information Policy and Procedure Manuals

When Do You Need a PIA Amendment?

When is a Privacy Breach a Privacy Breach?

References and Resources

Alberta Office of the Information and Privacy Commissioner. Investigation Report H2019-IR-01 Investigation into alleged unauthorized accesses and disclosures of health information at Consort and District Medical Society Clinic. May 21, 2019. https://www.oipc.ab.ca/media/996888/H2019-IR-01.pdf

Alberta, clinic, custodian, health, Health Information Act, healthcare, HIA, medical, Patient privacy, physicians, Policies and procedures, Prevent privacy breaches, privacy, privacy breach, Privacy Impact Assessment, reasonable safeguards, templates

Sharing Your Vaccine Status – Privacy Tips

Posted on July 19, 2021 by Meghan in Blog

Sharing Your Vaccine Status – Risks and Benefits

For the safety of yourself and others, schools, employers, or event organizers may ask you for proof of vaccination against the COVID-19 virus. It is your right to decide if you share your personal information with others.

Your personal health information can be misused to access services, apply for credit cards using your name, or other fraudulent purposes.

Throughout the pandemic, each of us have had to make decisions about our health safety and the risks and benefits of our actions. You can apply a similar risk and benefit approach to decide if, when and how you share your vaccine status.

Why Share?

Consider the purpose of providing your vaccine status.

Are you giving this information to a physician or nurse for your health care?

Before attending a concert or football game?

Is it a pre-requisite before you can attend school or a sports program?

You may also need to consider the benefit of sharing your vaccine status. If you want to travel out of country, a vaccine passport may be required for international travel purposes.

Protect your gold – your personally identifiable information.

If you decide to share your vaccine status:

provide the least amount of information needed.
know and trust the person (or the app) that you are sharing your information with. Remember, read the privacy policy!
understand how your information will be used.

Don't Overshare

Sometimes, answering the question ‘Is your vaccine up-to-date?’ is good enough. You don't always need to share your date of birth, family physician, and health care number, too.

You may be asked to show your proof of vaccine status, but don’t allow the casual requester to make a copy of the vaccination report. (There are some exceptions. Sometimes, you may need to share the information with your healthcare provider or a government official).

Instead, the requester can make a simple notation on their records that you were asked about your vaccine status, and you showed an appropriate proof of vaccination. (See the blog post How To Correctly Identify Patients And Use Photo ID for tips on how to implement this practice in your business).

If You Are Collecting Vaccine Status

If you are a business owner who is collecting personal information like a vaccine status, remember that you must follow the appropriate privacy legislation. In Alberta, private businesses must follow Personal Information Privacy Act (PIPA) legislation.

See the advice document from the Alberta Office of the Information and Privacy Commissioner (OIPC) regarding the reasonable purpose to collect personal information and your responsibilities to keep the information secure.

How Do You Get Your Vaccine Report?

Most often, you will receive a paper confirmation from the healthcare provider at the time that you receive your first and second vaccine dose. In Alberta, you can also download your vaccine record from MyHealth Record, the Personal Health Record for Albertans to access some of their health information, such as lab results, medications, and immunizations drawn from Alberta Netcare.

I shared a short video here to show you how you can register for your own personal account. Some other provinces have a similar provincial electronic health record that individuals can access their own health information.

Keep It Safe

You will probably need to refer to your vaccine status often over the next few years. Keep this information safe and easy to retrieve.

Take reasonable steps to protect your information so that other people can't easily view or take your information without your permission. Will you keep your information in:

paper format?
your wallet or purse?
as a photo on your phone?
- If so, also consider how you will share the photo. If you give your phone to someone to hold and view the photo of your vaccine status or passport, they may also use the access to your phone for other purposes.
upload your vaccine status to a digital app?

Evaluate the Risks and Benefits

Remember to ask yourself why you need to share the information and evaluate the risks and the benefits. It's your information, and you get to decide if, when, and how to share your vaccine status. Take the time that you need to ask the right questions and make an informed choice.

After you share your information, it’s too late to take it back.

Instead, be prepared to respond to a request for your vaccine status with these privacy tips to protect your personal health information.

COVID-19, digital vaccine passport, personal health information, privacy, proof of vaccination, vaccine status

What Does a Ransomware Attack Look Like to Patients?

Posted on June 14, 2021 by Meghan in Blog

What Does a Ransomware Attack Look Like To Patients?

One of my favourite podcasts is Help Me with HIPAA. This weekend I listened to Episode 304 Ransomware Creates a Social Media Privacy Violation Storm while I was spring-cleaning my yard.

Donna and David discuss in (almost) real time a ransomware attack that was currently occurring at the San Diego California’s main health systems, Scripps Health. The attack resulted in practically all of its technology being taken down. The EHR went down, patient portals were down, appointments had to be rescheduled, patients had to be diverted to other hospitals… even their website was down.

This podcast episode isn’t about the technology about ransomware. Donna and David walk you through the impact on patients – from the inconvenience and frustration to the disastrous consequences of not having health information available when it is most needed.

This gripping story reveals how communication failures, systems failures and a lack of information snowballed to negatively affect patients when they needed help the most.

My Takeaways From This Help Me With HIPAA Episode

Ransomware is nefarious and its impact is far-reaching.

Patient care is compromised – patient information is not accessible, and it is unknown what information can be retrieved and, if it is retrieved, if it is complete and accurate.
Privacy breach – obviously! The hackers have patient, employee and business information and have threatened to release it publicly.
BUT – employees are also continuously breaching privacy while they are responding to patient concerns on social media DURING the ransomware attack.
Employees cannot access their information to do their jobs – work schedules, payroll, portals to perform their jobs. So, alternate, unauthorized workflows are implemented to get the job done which subsequently results in more breaches.
While the press release from Scripps Health indicates that they have trained and prepared personnel, the communication from Scripps to patients, employees, and the public has been disorganized, conflicting, and continuously breaching privacy and confidentiality.

I urge you to listen to this episode (about 30 minutes).

Listen to the Help Me With HIPAA Podcast HERE!

[Start at 18:19 minutes]

What Would You Do?

How would you and your team respond to this type of privacy breach?

Share this episode with the members of your incident response plan. Then, use the scenario to conduct a table-top privacy breach fire drill using your privacy breach management plan.

These table-top privacy breach fire drills are a great demonstration of your commitment as an organization to ensure that you are protecting the privacy confidentiality and security of health information.

Now hop over and listen to the Help Me With HIPAA episode to better understand what a ransomware attack looks like to a patient.

https://helpmewithhipaa.com/privacy-questions-everywhere-ep-304/ [Start at 18:19 minutes]

Communication, healthcare, incident response plan, Patients, privacy, ransomware, ransomware attack

Why Would a Dentist Want Access to the Alberta Netcare Portal?

Posted on April 27, 2021 by Meghan in Blog

Why Would A Dentist Want Access To The Alberta Netcare Portal?

As a dentist or dental hygienist, if you have concerns about a patient’s health history, you may want to have access to the Alberta Netcare Portal to view the patient's history of health concerns and current medications.

Alberta Netcare provides personal health information that is available through a province-wide electronic record system under the authority of the Health Information Act (HIA).

Whether a dentist uses paper records, electronic dental records (EDR), or electronic medical records (EMR), using the Alberta Netcare Portal will help dentists monitor their patient’s interactions with other parts of the health care system.

What is the Alberta Netcare Portal?

Alberta Netcare Portal is the secure vehicle through which patient health information from a variety of health care providers is shared and accessed electronically, by independent and hospital-based health service providers like dentists, physicians, nurses and pharmacists. The Alberta Netcare Portal is a data collection centre for registries and systems such as laboratories, diagnostic imaging facilities, hospitals and some specialized clinics. Alberta Health and Wellness is the Netcare information manager.

Dentists and Dental Hygienists Are Custodians

Dentists were designated in 2010 as authorized custodians under the Health information Act (HIA). Dentists can now request access to Alberta Netcare by showing that they meet the Netcare requirements.

Dentists who manage patients with complex medical conditions or for the provision of treatment requiring sedation or general anaesthesia may require additional information about the patients’ health history. Dentists can use Alberta Netcare Portal to view medication profiles, laboratory data and tests results.

Ensuring reasonable safeguards to protect the privacy and security of personal health information of your patients and residents of Alberta is critical! We want everyone who has access to these health data repositories to follow the same best privacy and security practices. The HIA has regulated requirements for all custodians to follow.

Everyone needs to follow the rules to play in the sandbox!

How To Get Started

Before you are granted access to Alberta Netcare Portal, you must complete the following steps.

Step 1: Create or update your Health Information Management Privacy and Security Policies and Procedures including the rules governing the access, collection, use, of health information from Alberta Netcare.

Step 2: Complete a Privacy Impact Assessment (PIA) and submit this to the Office of the Information and Privacy Commissioner for review. For more information on how to complete a PIA, click here.

Step 3: Train your team on privacy awareness. I recommend the Privacy Awareness in Health Care Training — Dental Practices.

Step 4: Contact the eHealth Netcare Support Services Team.

Step 5: Complete a Provincial Organizational Readiness Assessment (pORA). See What is a pORA.

Step 6: Sign an Informational Manager Agreement (IMA) and Review Informational Exchange Protocol (IEP) with Alberta Netcare

For more tips on implementing reasonable privacy and security safeguards for your dental practice, see https://informationmanagers.ca/privacy-impact-assessment-pia/.

You can also watch the FAQ video on this topic by clicking the button below!

Watch the FAQ Video HERE!

You May Also Be Interested In:

What is a pORA?

New Health Information Policy and Procedure Manuals

Do You Need An Expedited Netcare Privacy Impact Assessment?

Who Is Doing the Recalls In Your Dental Practice?

Privacy Awareness in Healthcare Training: Dental Practices

Privacy Impact Assessment – Consultation Options Available!

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

Alberta Netcare, ANP, dental hygienist, dentist, healthcare, PIA, PIA Consultant, privacy, Privacy Impact Assessment

1 2 3 ›»