Privacy Awareness in Healthcare Training: Dental Practices

Posted on June 15, 2020 by Meghan in Blog, Services

NEW! Privacy Awareness in Healthcare Training – Dental Practices

Privacy Awareness Training for Dental Practices

Is your dental clinic in compliance with the Alberta Dental Association & College, Health Information Act (HIA) and Personal Information Protection Act (PIPA)?

Dentists and dental practices in Alberta are required to have an ongoing privacy program to ensure the protection of private records and patient information. The appropriate collection, use, and disclosure of personal information is critical to maintaining privacy for patients that choose to trust in your practice. Accomplishing this important goal demands an up-to-date training strategy.

Regular privacy awareness training protects patients, employees and your business. The key components of your training strategy must revolve around ensuring HIA compliance to mitigate risk of a privacy breach. Everyone in your clinic – dentists, dental assistants, dental hygienists, office staff, contractors and even practicum students and volunteers must understand how to correctly handle personal information, so it remains confidential and secure. Maintaining high standards that safeguard information privacy and security is an essential aspect of asset management for any health care provider.

Corridor Interactive's training includes a personalized printable certificate of achievement to support compliance and may be used for your continuing education credits, too! Our training delivers industry best practices and is ideal for all levels of staff in any dental organization or clinic that collects, uses or discloses personally identifying information. This includes direct care providers in your practice as well as privacy officers, support staff and any other employees who are not directly involved in patient care.

Corridor’s Privacy Awareness Training for Dental Practices educates dentists, dental assistants, dental hygienists, and all office staff on:

Understanding Privacy
Privacy Principles
Collection, Use & Disclosure
Roles & Responsibilities
Privacy Breaches
Right of Access
Safeguards
What is “Health Information”
Handling Personal Sensitive Health Information

If You Are A

dentist,
dental assistant,
dental hygienist,
or work in a dental practice

You Need Privacy Awareness in Healthcare Training – Dental Practices

You will

Understand patient and client privacy rights.
Respect personal health information and your obligations.
Confidently and correctly handle personal health information.
Use reasonable safeguards to protect personal health information (PHI).
Recognize and respond to a privacy breach
Support key policies, procedures and risk management programs in your healthcare practice.

Interactive Online Learning Experience provided by Corridor Interactive

Corridor Interactive’s Buy Now Training Programs give you access to the most current information available, at your convenience. Complete your course all at once, or in multiple sessions from any location – it’s up to you. All you need is an internet connection and an email address to get started…it’s that easy!

Fits into your schedule – you can start, pause at anytime, and return to the course exactly where you left off.
Easy to use – navigation buttons makes it easy to continue to the next topic or pick and choose the order that you want to see the content.
Get started immediately – the entire course is ready for you!
Work at your own pace – you have access to the course for three (3) months. Most students complete the course in under 2 hours.
You can listen to the narration for each module.
Practical examples, too, to make it easier for you to apply what you have learned in the course to your job.
Links to extra resource material and websites related to your topic of study, to peruse at your convenience.
A printable Certificate of Completion, available as soon as you successfully complete your course.
An audit trail and record of your course activity and training history.
Self-directed learning features including the ability to pause your course at any time and resume later, right from where you left off.
Unlimited access to your course and resources for the duration of your subscription term.
Technical support with a one-business day turnaround for end-user support help and questions.
Automatic emails when you complete your course, or reminders if you have not completed.

Developed by Corridor’s team of seasoned software specialists and instructional designers, this unique online learning application is the optimum vehicle for delivering learning content.

$30 per subscription

Give your staff the knowledge and tools they need to apply policy in their day-to-day work AND prevent a privacy breach with privacy awareness training.

Privacy Awareness in Healthcare Training – Dental Practices

Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information. Learn basic healthcare privacy principles and how to handle personal health information, use safeguards, and recognize and report a privacy breach.

Sounds great! Sign me up!

This self-paced on-line education includes:

9 Modules
6 Quizzes
2 Case Studies
Final Exam

Certificate of Completion

“When we know better, we can we do better.”

As an employer and health care provider, you are responsible to provide training to all of your employees about privacy awareness. Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information.

I am constructively obsessive about privacy and confidentiality in the healthcare sector–and I think you should be, too! I designed this course to assist healthcare providers, clinic managers, practice managers, privacy officers and independent healthcare practice owners provide practical privacy awareness training that was easy to implement, consistent content, cost-effective and meaningful to your day-to-day business.

When each member of your independent healthcare practice completes this privacy awareness course, you will have clearer expectations and confidence that your team will maintain the privacy, confidentiality and security of your patient’s health information. Give your patients the gift of privacy. Improve your healthcare practice with privacy awareness education.

Jean L. Eaton, Your Practical Privacy Coach Information Managers Ltd.

Frequently Asked Questions

How can I access the course?

The course, Privacy Awareness in Healthcare Training – Dental Practices is available on-line from any internet enabled device. You can use your desktop computer, smart phone or tablet to view the slides and even hear the narration.

How long is the course?

Most students complete the course in under 3 hours. You can start and stop the course at any time. Let's say you decide to take 20 minutes each day to work on the course. You can login and start the course right away. When you come back to the course the next day, you can start right from where you left off. You will have all the modules and the post-test done within 6 days. Don't worry about missing a few days – you have access to the course for a full 3-months!

This is my first job in a dental practice. Do I know enough to start the course?

You bet! The course is easy to read and I explain all the terms that you need to know. There are a lot of practical examples, too, to make it easier for you to apply what you have learned to your job.

I've worked in healthcare for a long time. Do I still need to take this course?

You bet! Seasoned professionals like yourself have an extra obligation to share your knowledge with new workers. This course will help you to refresh key principles and suggest wording, examples, and key messages that you can use to train new employees to their specific tasks in the workplace. The course will help you to advocate for the privacy rights of your patients. Unfortunately, we have many examples where trained professionals who “should have known better” make errors in judgement causing privacy breaches that affect our patients, our business, and the reputation of healthcare. Healthcare practitioners and owners have a responsibility to ensure that everyone in the practice receive comprehensive privacy awareness training regularly.

Will I get a certificate of completion that I can give my employer?

Yes – at the end of the course, you will have the opportunity to complete a short on-line quiz to confirm that you understand the key concepts. Then you will have access to a Certificate of Completion that you can download and share with whomever you choose.

Can I get continuing education credits with my professional association?

Maybe! If you are a member of a professional association and you would like to seek credits from for taking this course, please let us know so we can take steps to request pre-approval. Often, professional association and colleges will grant continuing education (CE) credits based on your certificate of completion.

How much is the course?

The course is $30 per individual 3 month subscription. Click here to buy it right away.

I think everyone in my healthcare practice should take this course! Can I buy in a group package?

Yes – Privacy Awareness in Healthcare Training – Dental Practices is available in group packages, or it can be customized to incorporate your organization’s privacy policy and practices. Employers can monitor the employee’s training progress and receive a report of employee’s satisfactory completion of on-line quizzes. Track annual privacy awareness training through our online platform to demonstrate your compliance with legislation. Contact Corridor Interactive for more information.

I agree that privacy awareness training is important - but I don't work in healthcare. Do you have a corporate privacy awareness program?

While these programs have been developed with health care providers in mind, the privacy principles and fundamentals of protecting personal information are appropriate for any organization that collects, uses, and discloses personally identifying information. Contact us for information about our Corporate Privacy Awareness Program!

Interested in Group Training?

Employers can also purchase training for groups of employees; employees can access the internet based training at a time and location convenient to them. Employers can monitor the employee’s training progress and receive a report of employee’s satisfactory completion of on-line quizzes. Track annual privacy awareness training through our online platform to demonstrate your compliance with legislation.

Email Corridor Interactive to Order Group Training

Corridor Interactive, dentists, health care, Health Information Act Training, healthcare, healthcare provider, primary healthcare, privacy, privacy awareness, privacy breach, training

Your Guide to Privacy & Security Measures for the Health Care Industry

Posted on June 11, 2020 by Meghan in Blog

I’m tickled pink to be a guest of Rafiki Technologies' EVOLUTION SERIES

Your Guide to Privacy & Security Measures for the Health Care Industry

Join Rafiki Technologies and Jean Eaton to learn effective ways to keep your patient information safe and secure.

Confidentiality and security of personal health information (PHI) are crucial in the health care industry. It's your job to keep your records safe and your patient's information private, confidential, and secure.

Electronic medical records (EMR) have many advantages but security concerns are attached. Internet hackers are able to access private information in a matter of minutes if the medical practice doesn't have strong security measures in place and well-trained staff.

Learn how to protect your patient data with Rafiki Technologies' President Naheed Shivji. He and his team have worked in the medical industry for many years and they understand how to integrate proper IT and security measures seamlessly into existing infrastructure.

Joining Naheed Shivji is a Certified Health Information Management Professional, Jean L. Eaton. Jean is exceptionally versed in privacy awareness training and tools and works alongside many healthcare providers to ensure they're using the right protocols to keep patient information protected while complying with privacy legislation.

Speakers:

Jean L. Eaton, Your Practical Privacy Coach and Practice Management Mentor with Information Managers Ltd.

I assist healthcare providers, clinic managers, practice managers, privacy officers, and independent healthcare practice owners with practical privacy awareness training and tools that are easy to implement, cost-effective, and meaningful to your day-to-day business.

As a Certified Health Information Management professional (CHIM), and privacy awareness training facilitator, I have had the honour to share my obsession about practical privacy and confidentiality advice with hundreds of medical clinics and healthcare practices and organizations across Canada and the US.

With over twenty years of experience in health information management and healthcare administration and over 15 years in my independent consulting practice, I have made practical recommendations for 1000’s of independent health care providers to help them comply with privacy legislation and create efficient practices.

Naheed Shivji, Founder & President of Rafiki Technologies Inc

Naheed has more than 20 years of experience in IT with expertise in the dental industry. He is a passionate entrepreneur helping companies understand and embrace technology and is always searching for business best-practices while giving back to the community.

Naheed works hands-on with his clients to develop winning IT strategies and smooth implementations. He is constantly learning and adapting to industry trends to maintain Rafiki Technologies’ position as a leading managed IT services company in Canada.

Your Guide to Privacy & Security Measures for the Health Care Industry

Tuesday, June 16th, 2020

6:00pm MDT

RSVP on EventBrite Here!

cybersecurity, datasecurity, healthcare, informationsecurity, medical, privacy, security

The Future Of Privacy Virtual Summit

Posted on January 7, 2020 by Jean Eaton in Blog

Discover why privacy, protecting personal information and securing critical data assets are priorities for business leaders in 2020.

I'm tickled pink to be presenting ‘Privacy of Health Information, an IFHIMA Global Perspective’ with Lorraine Fernandes at Bright Talk’s upcoming Data Security and Privacy Virtual Summit. All professionals with an interest in Data Security and Privacy are welcome!

The increasingly mobile, rapidly digitizing world of data is transforming all aspects of information and leading to new policies and regulations to support data privacy.

Beyond its primary purpose of improving personal healthcare outcomes, health data is being used for a wide range of purposes from improving population health, disease surveillance and the study of health economics. There are dramatic changes in how patients, consumers, or individuals access and use their health data. And, new technologies such as machine learning, artificial intelligence and biometric authentication are further compounding health information privacy challenges. Now more than ever, it is critical that the privacy of health information be protected.

Lorraine Fernandes and Jean L. Eaton will share:

The role of The International Federation of Health Information Management Associations (IFHIMA)
The need for a privacy information sharing agreement (ISA) explored in the IFHIMA healthcare whitepaper
High level overview of global privacy trends impacting healthcare
Why privacy is a priority for business leaders in 2020
The importance of a privacy management program and privacy awareness training to protect personal information and secure critical data assets
Prepare for emerging privacy trends

Register here (https://ifhima.org/sign-up-for-ifhima-global-news-whitepaper-and-events/) to receive this free white paper and learn more about IFHIMA.

Join BrightTALK’s upcoming virtual summit for a global, three-day online event.

Register for free thought leadership from the world’s top speakers, vendors and evangelists in the form of live webinars, panel discussions, keynote presentations and webcam videos. From Data Protection Officers, to CISOs and CTOs, all professionals with an interest in Data Security and Privacy are welcome!

Three Virtual Summit Tracks

The 2020 Compliance Landscape – January 21, 2020 Learn what’s needed to achieve and maintain your CCPA, GDPR, PCI and HIPAA compliance.

The Future of Privacy – January 22, 2020 Discover why privacy, protecting personal information and securing critical data assets are priorities for business leaders in 2020.

Data Security Done Right – January 23, 2020 Find out how to improve security from the ground up and what’s needed for building security-by-design.

#IFHIMA, Bright Talk, privacy, virtual summit

Top 3 Practice Management Nuggets Blogs and Podcasts in 2019

Posted on January 2, 2020 by Jean Eaton in Blog

I wish you a prosperous New Year and personal and professional growth.

Practice Management Nuggets blog posts and podcasts is designed to help you achieve that. I started this in January 2014. We’ve grown over the years and improved the technology and platforms to better help you start, grow, and improve your healthcare practice. I help you to manage the pink elephant in the room!

Over the last year, you have made these blog posts and podcasts rank in the top 3 for 2019. If you missed these, or want to re-visit them, follow the links below.

Check out these top 3 Practice Management Nuggets blog posts and podcasts.

Here Are The 3 Best Blog Posts And Podcasts Of 2019

Top 3 Blogs

Recent Privacy Breach Convictions Under Alberta’s Health Information Act

Curiosity Is NOT Need-To-Know

The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

Top 3 Practice Management Nuggets Podcasts For Your Healthcare Practice

Privacy Awareness Quiz #PrivacyMatters | Episode #076

How Improved Patient Satisfaction Saves You Time And Money | Episode #074

Fax Received in Error – Is this a Notifiable Privacy Breach? | Episode #067

Stay tuned for more guest experts, tips, tools, templates and training in 2020!

blog, healthcare, podcast, privacy

Privacy of Health Information, an IFHIMA Global Perspective

Posted on November 12, 2019 by Jean Eaton in Blog

The 19^th Congress of IFHIMA, the International Federation of Health Information Management Associations, will feature the release of IFHIMA’s latest whitepaper, “Privacy of Health Information, an IFHIMA Global Perspective.” I’m honoured to be the Chair of the Working Group and one of the authors. After months of work from dedicated HIM professionals and IFHIMA volunteers, I’m tickled pink to be able to share this with you.

Privacy of Health Information, an IFHIMA Global Perspective whitepaper provides a synopsis of current trends in privacy in healthcare around the globe, discusses the role of HIM professionals in privacy, and offers more detailed perspectives through case studies from Australia, the European Union, India, Qatar, the Republic of Korea (South Korea), and the USA.

Health Information Management (HIM) professionals have transitioned from their traditional role of health records custodian to data stewards and information privacy advocates and have an opportunity to take a leadership role with regard to the privacy of health information.

This privacy paper includes discussion on

Global privacy trends
What is personal information?
Privacy and trust
Challenges in maintaining trust when technology moves faster than regulations
Privacy stewardship foundations, including the role of the privacy/compliance officer
Avoiding risks, harm, and breaches
The complexity of breach notifications
How technology impacts privacy

After a thorough discussion, the paper also suggests several actionable steps that anyone can implement and discuss with their teams. Privacy is a team effort, but it requires a strong, trusted leader who can be the voice of clarity and transparency for patients, consumers, and regulators — all while building consensus.

These steps include:

Get involved as privacy regulations are developed
Assess what the regulations may mean to your organization
Communicate your insight to the team, leadership, and regulatory bodies
Identify required changes to systems, processes, and technologies
Train your teams, admins, and patients about their privacy rights and responsibilities
Commit to ongoing professional growth to stay abreast of the changing landscape

Privacy regulations that bring together emerging technology, healthcare processes and individual rights should take a pragmatic approach with consideration to future health information technology solutions such as telemedicine, Internet of Things and big data.

HIM professionals, in our role as stewards of health data, should be the voice of clarity and transparency for patients, consumers, and regulators. #IFHIMAClick to Tweet

6 Case Studies

The whitepaper includes observations and commentary about the status of privacy projects around the world, including the following case studies

My Health Record – The Australian Experience
General Data Protection Regulation of the European Union Reaches Far Beyond Europe
Health Care Privacy: An Indian Scenario
Developing a Global Standard for Health Information Privacy Workforce Education – A Republic of Korea (South Korea) Case Study
Health Information Exchange Implementation – Qatar, HIE Consent Model for Privacy Concerns – Privacy Regulatory Framework
Laying the Foundation for Privacy Practice and Compliance in the Outpatient Setting: Policies and Procedures. Download the Privacy of Health Information

This whitepaper will aid anyone tasked with planning for increased data sharing while trying to manage healthcare privacy. Ministers or Department of Health staff, privacy and data governance consultants, vendors, and health systems should find it especially helpful. Whether you are from a nation crafting its initial privacy regulations, or a nation revising insufficient policies, the information is relevant and enlightening.

I’d like to express my appreciation for the hundreds of hours of work contributed by this exemplary group of volunteers, including

Lorraine Fernandes

Angelika Haendel

Jenny Gilder

Mujeeb C. Kandy

Ok Nam Kim

Dr. Sabu Karakka Mandapam

Veronica Miller Richards

Dorinda M. Sattler

Dr. Rajesh Kumar Sinha

Selvakumar Swamy

Christopher Wilde

Click here to Register and receive this whitepaper and IFHIMA Global News, published three times per year.

Privacy of Health Information, an IFHIMA Global Perspective

#IFHIMA, healthcare, privacy, whitepaper

Why Do You Need Health Information Policies and Procedures?

Posted on September 24, 2019 by Jean Eaton in Blog

Maybe you’ve heard you need written policies and procedures for your health information, but you’re left asking yourself why it’s so important?

The truth is, without written policies and procedures, you open a healthcare practice up to a whole host of problems, including major legal issues.

In fact, every business needs good practices that apply to your:

Information that you collect from patients/clients
Website
Email
Business practices including electronic (or paper) patient records, and computer network
Financial information
Billing, collection, and payment processing

Within the healthcare industry, there are additional legislation requirements that require specific written health information policies and procedures.

The Health Information Act (HIA) and the Personal Information Privacy Act (PIPA)

As we mentioned, when a custodian collects health information, you must follow the Health Information Act (HIA) in Alberta.

Like most other private businesses in Alberta, private healthcare practices must also comply with the Personal Information Privacy Act (PIPA).

The colleges of regulated health professionals (like the Alberta Dental Association and College (ADAC) and the College of Physicians and Surgeons of Alberta (CPSA), require dentists and physicians to meet the standards of practice which includes compliance to HIA and PIPA legislation.

In addition, the college has other standards of practice that you must meet, including policies and procedures for the collection, use, disclosure, and access of health information.

So, let’s explore further why written policies and procedures are so essential, as well as what can happen without them, and why healthcare practices may not think they need them in the first place.

Benefits of Policies and Procedures

One of the most critical benefits of having policies and procedures in place is that they’re good for business.

Here’s how:

They contribute to consistent, efficient workflow.
You can figure it out once, write the procedure, tweak it to make it better, and then repeat the same procedure again and again.
They help you make better business decisions, like buying supplies, choosing services, and selecting vendors.
They help support your accreditation efforts.
On-boarding employees the right way with no missed steps is much easier with policies and procedures in place.

If you’re looking for even more proof of the benefits of having written procedures, it can also help you avoid:

Internal disputes within your team and external disputes with your patients and clients
Re-work and re-training employees
Poor customer service
Poor reputation
Fines and penalties

Fines And Penalties For Not Having Written Policies And Procedures

You might be wondering why you would face fines and penalties for not having written policies and procedures in the first place.

The HIA requires the custodian – which includes the dentist or dental hygienist – to take reasonable safeguards to protect the privacy and confidentiality of patients’ health information.

Having written policies and procedures is a common, expected, and reasonable safeguard.

Let’s say you have a privacy breach in your practice or an error (like sending a fax to the wrong number or you are a victim of a phishing or ransomware attack).

You can learn more about what makes a privacy breach a privacy breach here.

If you can’t demonstrate that you had the appropriate reasonable safeguards, like written policies and procedures in place, you are guilty of an offence under the law.

It’s illegal not to have policies and procedures when you collect health information.

If you are guilty of this offence, you are liable for a fine of a minimum of $2,000 and not more than $500,000. (HIA section 107(7)).

3 Policies and Procedures Myths

One reason some healthcare practices fail to have written policies and procedures is because they believe they don’t need them.

Often, this is because they’ve fallen prey to the common myths about policies and procedures.

There are 3 of the common myths that stop healthcare providers and their clinic managers from creating written policies and procedures:

It’s Too Hard

While it does take some skill to write clear, easy to read, and easy to understand policies and procedures, it doesn’t have to be heard. In fact, you can even purchase templates to make this easier.

It Takes Too Much Time

Writing policies and procedures does take some time.

But investing the time to create policies and procedures pays off by preventing suffering from inconsistent or broken procedures, using or disclosing health information in error, and having to pay fines, penalties, public relations nightmares, or spending the time required to run a privacy or security investigation.

It’s A Waste Of Time

Here are a few good reasons that prove writing policies and procedures is not a waste of time:

Practical privacy policies and procedures will create a more efficient practice and help you make better business decisions.
The policies and procedures become the foundation of your privacy impact assessment.
Policies and procedures are pre-requisites for other initiatives, like access to Netcare or other community integration initiatives, and privacy impact assessment (PIA). Click here to learn more about PIAs.
You must have them as part of your legislative compliance.
It’s the law. Not having policies and procedures regarding the collection, use, disclosure, and access of health information is illegal.

As you can see, written policies and procedures help ensure consistent office procedures and good communication between team members in your healthcare practice.

In addition to those good reasons, you must have good written policies and procedures about how you collect, use, disclose, and provide access to health information to avoid legal problems, fees, penalties, and other problems.

If you need templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership. These tips, tools, templates, and training will help you save time and money to develop and maintain policies and procedures in your healthcare practice.

Get the Reliability And Power of Policy and Procedure Templates Without Spending Hours (or Days) Creating Them!

Your healthcare practice needs written policies and procedures to assist you to correctly, efficiently, and confidently collect, use, access, and disclosure of health information so that you can meet your accreditation, privacy impact assessment, and regulatory compliance requirements.

Show Me Policy And Procedure Templates!

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies and Procedures Are?

Why Do You Need Health Information Policies and Procedures?

Healthcare Policies And Procedures: Essential in EVERY Practice

When Do You Need a PIA Amendment?

What is a PIA?

Alberta, clinic, custodian, health, Health Information Act, healthcare, HIA, medical, physicians, PIPA, Policies and procedures, privacy, Privacy Impact Assessment, reasonable safeguards

Do You Use Employee Privacy and Security Policy and Procedure Checklist Templates?

Posted on September 12, 2019 by Jean Eaton in Blog

Why Do You Need Employee Onboarding and Exiting Checklists?

There is much excitement when we welcome a new hire to our team and many administrative tasks need to take place to get this individual up and running.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed to protect patient privacy as required by our professional colleges and privacy legislation. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

To ensure that onboarding a new employee is a smooth transition, it is imperative to follow a practical checklist procedure to make sure no important steps are missed. There are also many other managerial benefits to adopting this high-quality process

Better job performance and satisfaction
Greater commitment to protecting privacy in the organization
Reduced stress and better staff retention

Employee Privacy and Security Checklist

Policies and procedures is a reasonable safeguard to protect the personal and health information entrusted to us. But polices and good intentions alone is not enough; we also need to take action to ensure our policies are understood and being followed by all our employees.

Training new and existing staff on privacy and security best practices is instrumental in making your healthcare practice a success and maintaining its fine reputation. Following a systematic approach to welcoming a new employee, transitioning an existing employee into a new position, or offboarding an employee who is exiting will guarantee that valuable privacy and security training and accesses are completed.

Read this Privacy Breach Nugget that explains what can happen if you don’t have these good practices in place. Do You Know Where Your Policies And Procedures Are?

New Employee Orientation / Onboarding

New employees are a welcome addition to any team and there is a vast amount of training that needs to take place from general procedures on how to handle phone calls to signing confidentiality oaths to becoming familiar with all policies and procedures, in addition to learning the everyday job duties for their own position.

Since privacy is good for business, we do not want to miss any important opportunities to train our new staff on privacy and security best practices. Using the Employee Privacy and Security Checklist will help facilitate training discussions and document the authorized accesses of each employee.

Existing Employees / Annual Review

The checklist will also act as a tool for each employee at their performance review. Provide positive feedback and observations of an employee’s successes in protecting personal information. Discuss opportunities for improvement, too. This is also a good time to review an employee’s current authorized role based accesses and determine if any changes to match the employee’s current job duties is needed.

Ensure that the employee still has ‘tokens’ that they were given at the time of their hire, like identity badge, keys to the clinic or Alberta Netcare RSA fob.

Privacy and security best practice dictate that confidentiality oaths should be signed on an annual basis and annual privacy awareness and security refresher training should also be provided to all employees. In the event of a privacy incident or breach, it is imperative that a healthcare practice can prove by their documentation that regular privacy and security training is provided to their staff.

Transferring / Exiting Employees

When an employee transitions into a new role or is terminated, review, and update the privacy and security checklist to ensure that access and permissions are appropriately modified or terminated.

Custodian Responsibility

Custodians have an obligation to ensure reasonable safeguards to protect the privacy and security of health information. This includes having appropriate policies and procedures in place, as well as demonstrating and documenting that you have implemented your plans. This is a requirement of professional college standards of practice and privacy legislation like the Health Information Act (HIA).

See the article Do You Know Where Your Policies And Procedures Are? to learn what can happen to you if you don’t have your employee training process well documented

The Employee Privacy and Security Checklist will make it easy for you to ensure your new hires, existing employees, and transferring or exiting employees are privacy and security compliant.

Download the FREE Report - Employee Privacy and Security Policy and Procedure Checklist Template

If you are a member of Practice Management Success, login and access the webinar replay, and the policy, procedure, and checklist template.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security expecially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

clinic, health care, healthcare, medical, policy, Practice Management Success, privacy, procedure, template

Do You Know Where Your Policies And Procedures Are?

Posted on September 2, 2019 by Jean Eaton in Blog

This is a cautionary tale.

And it could save you a lot of embarrassment – even legal issues.

The way a healthcare provider collects, uses and discloses personal health information (PHI) is critical to an efficient healthcare practice.

It’s also required by legislation and professional college regulations and standards.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. #PoliciesClick to Tweet

Don't let this happen to you!

Everyone in a healthcare practice — including front office staff, wellness practitioners and physicians and other custodians — must be aware of and follow these policies and procedures.

These policies and procedures also become the foundation of your privacy impact assessment (PIA).

That’s why, in this Privacy Breach Nugget, we’ll review a privacy breach investigation report from Alberta's Office of the Information and Privacy Commissioner (OIPC). Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

This report started with an employee suspected of accessing health information for an unauthorized purpose.

It started with at the clinic with a conflict between the employees and the employer.

An employee (Employee A) was on leave from her position at the clinic. Her access to the electronic medical record (EMR) was suspended during her leave.

Employee A wanted to access patient information to support her dispute with management. Over two months, Employee A used Employee B’s credentials to access patient records.

This action is in contravention of the Health Information Act (HIA) sections 27 and 28.

This is where this case becomes even more convoluted and, in fact, a better case study of what not to do.

Employee Dispute

Understanding the Health Information Act

The Health Information Act (HIA) requires the custodian (the physician, in this case) to take reasonable steps to maintain administrative, technical, and physical safeguards to protect patient privacy as required by sections 60 and 63 of the HIA, and section 8 of the Health Information Regulation.

In November 2013, the clinic submitted a privacy impact assessment (PIA) to the OIPC prior to its implementation of an electronic medical record (EMR).

The PIA included written policies and procedures.

The letter to the OIPC accompanying the PIA was signed by two physicians, as well as Employee A who was the privacy officer at that time.

The physician named in the investigative report is not the current custodian at the clinic. The physician was hired in 2015 and therefore not a member of the clinic in 2013 and not involved in the initial PIA submission.

During the investigation, both employees indicated that the policies and procedures to protect patient privacy were in a binder in the clinic, but it was never used or shared with the staff.

Oaths of confidentiality may have been previously signed by the employees, but the documents could not be produced during the investigation.

Section 8 (6) of the Regulation states the ‘custodian must ensure its affiliates are aware of and adhere to all of the custodians administrative, technical, and physical safeguards in respect of health information.’

It’s common practice for clinics to require employees to sign confidentiality agreements and ensure that they receive patient privacy awareness training with regular updates.

But in this investigation, the employees said they never received privacy awareness training.

Policy and Procedure Manual

Access To Patient Information

The employees also stated it was common practice at this clinic for individuals to not log off of their EMR account on the computers at the reception desks. It was common practice for other employees to access an open session to quickly perform a task in the EMR.

The investigator concluded that the physician was in contravention of the HIA section 63(1) which requires custodians to establish or adopt policies and procedures that would facilitate the implementation of the Act and regulations.

These specific findings were made:

The custodian failed to ensure the clinic employees were made aware of and adhered to the safeguards put in place to protect health information in contradiction contravention of section 8(6) of the regulation.
The custodian was in contravention of section 8(6) of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to all of the custodian’s administrative, technical, and physical safeguards with respect to health information. It’s important to note any collection use or disclosure of health information by an affiliate of a custodian is considered to be the collection, use, and disclosure by the custodian.
The custodian failed to ensure the employee and the other clinic staff adhered to technical safeguards as required by section 60 of the HIA and section 8(6) of the regulations.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Get Your Privacy Documents In Order

To protect yourself and your practice from patient privacy breaches (and massive fines, see the conclusion to this article), follow these steps.

Find your policies and procedures and review them with all staff and custodians. Make sure you document that this has been done.
Review and update your privacy awareness training and ensure all staff, including custodians, have completed this recently. Make sure you have this documented, including certificates of attendance if available.
Oath of confidentiality documents should be signed by all of all clinic staff and custodians and maintained in a secure location.
Review your privacy impact assessment and ensure all of your current custodians have read this and understand it. Visit this post for more information to help you determine if you need a PIA amendment.

Monitor

This incident occurred in 2016. The OIPC office did not recommend any additional sanctions against the clinic, physicians, or employees.

To get templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership

New Amendments To The HIA

This case might have turned out differently today.

New amendments, as of 2018, provide a provision for fines under the HIA ranging from $2,000 to $200,000.

The public — and our patients — expect and trust us to make sure that their personal health information is kept secure and confidential.

It’s our responsibility to make sure we have these administrative, technical, and physical safeguards in place and are maintained in a consistent fashion.

When you've done the hard work to implement your patient privacy policies and procedures and your privacy impact assessment, make sure you continue your journey and keep these documents up-to-date and current. To help you, sign up for the Practice Management Success Membership.

There are many patient privacy breaches in the news each day, and you never know when it could happen to you.

The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain. If you need to prepare your privacy breach management plan, start your on-line training 4-Step Response Plan right away!

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE Training Video "Can You Spot the Privacy Breach?"

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies And Procedures Are?

Why Do You Need Health Information Policies and Procedures?

Healthcare Policies And Procedures: Essential in EVERY Practice

Safeguards: The What, Why, and How

When Do You Need a PIA Amendment?

When is a Privacy Breach a Privacy Breach?

References and Resources

Alberta Office of the Information and Privacy Commissioner. Investigation Report H2019-IR-01 Investigation into alleged unauthorized accesses and disclosures of health information at Consort and District Medical Society Clinic. May 21, 2019. https://www.oipc.ab.ca/media/996888/H2019-IR-01.pdf

#PrivacyBreachNugget, Alberta, clinic, custodian, health, Health Information Act, healthcare, HIA, medical, Patient privacy, physicians, Policies and procedures, Prevent privacy breaches, privacy, privacy breach, Privacy Impact Assessment, reasonable safeguards, templates

Privacy Principles Applies After Death

Posted on August 5, 2019 by Jean Eaton in Blog

Are your staff looking at medical records when they shouldn’t be?

Many people have the mistaken impression they can look at a patient's medical records as long as they don’t tell anyone else.

You can’t.

We see over and over again in ‘snooping’ cases where seasoned and new healthcare providers and support team members don’t realize that looking at patient’s health information without a need to know that information to provide a health service right away is wrong.

Kate Dewhirst summarized this as

Privacy = don’t look
Confidentiality = don’t tell

We still need privacy awareness training – even those experienced healthcare providers who push back and say that they have been in the business for years still often have more to learn.

Yes, we still need privacy awareness trainingClick to Tweet

In this post I am sharing an example of the Ontario’s Information Privacy Commissioner (IPC) complaint investigation from the family of a deceased individual. Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

In 2014, a physician acting in his role as a coroner, accessed the deceased’s health record. Shortly thereafter, the family alleged that the physician, who was also a family member of the deceased, continued to access the deceased’s personal health information (PHI) contrary to Ontario’s Personal Health Information Protection Act (PHIPA).

The family submitted a complaint to the hospital. Initially, the hospital's response did not satisfy the family. The family filed a complaint to the Information and Privacy Commissioner (IPC) of Ontario.

The IPC started a complaint investigation.

Privacy Breach Investigation

Privacy Complaint Investigation

Under PHIPA, the hospital is a health information custodian and the physician is an agent of the hospital.

During the IPC investigation, the physician confirmed he “accessed the health information in response to his concern about the individual’s well-being.”

“I know now that proceeding in this way was misguided and wrong.” He would never disclose the information to anyone; that would be a violation of patient privacy and a breach of doctor – patient confidentiality.

The physician acknowledged he did not fully appreciate the related but distinct concepts of patient privacy, the circle of care, and the ‘need to know’ principle.

Confidentiality rights arise out the special relationship between the client and the health professional or provider.

In contrast, privacy rights are the general rights of all persons to limit the access to their PHI. Individuals have the right to privacy, even after death.

Individuals have the right to #privacy, even after death. Click to Tweet

4 Step Response Plan

The hospital received a complaint from the family, which triggers the first step to spot and stop the breach.

Secondly, the hospital did an initial investigation to evaluate the risks of the incident. Later, after the IPC initiated their complaint investigation, the hospital re-visited the internal investigation and completed a comprehensive review and used audit log reporting tools to assist them.

Eventually, the hospital took the third step and notified the individuals’ family of the privacy breach. However, the notification was not timely. A more comprehensive response to the families’ complaint, followed by a notice to the family may have provided a better response.

Preventing a similar breach is the fourth step.

Since this incident, the hospital has:

installed a new auditing program that considerably enhances its ability to detect unauthorized access.
updated its Privacy and Confidentiality Policy, which applies to all agents of the hospital.
developed a yearly electronic privacy training program for all staff, volunteers and learners and will require all credentialed physicians to complete this training as part of the annual reappointment process.
strengthened the privacy warning on its electronic system, which warns users that unauthorized use of personal health information may result in disciplinary action.

Privacy Breach Physician Sanctions

The hospital’s Medical Advisory Committee recommended to the Board of Directors that the physician’s privileges be suspended for three months, that the hospital conduct enhanced monitoring of the physician’s access to the electronic medical record for three years, and that, on his return to practice, the physician be required to present at Grand Rounds on the topic of privacy.

The IPC concluded that the disciplinary consequences for the physician were sufficient in the circumstances.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Privacy awareness education is more than just having policies and procedures. Demonstrating good practices, regular discussion about examples, and even gamification helps to ensure that all members of your healthcare team understand their roles and responsibilities.

If you need to start or update your privacy awareness training program, check out the on-line education Privacy Awareness in Healthcare: Essentials.

If you need to start or update your privacy breach management program, check out the 4 Step Response Plan; Prevent Privacy Breach Plan.

When we know better, we can do better…

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE Training Video "Can You Spot the Privacy Breach?"

References and Resources

Dewhirst, Kate. After Death: Who Can Access The Records Of A Patient After Death? May 7, 2019. https://katedewhirst.com/blog/2019/05/07/after-death-who-can-access-the-records-of-a-patient-after-death/

Ontario Information and Privacy Commissioner IPC Investigation Report PHIPA DECISION 74 HC15-4 Sault Area Hospital August 10, 2018.

#PrivacyBreachNugget, 4 Step Response Plan, clinic, complaint investigation, death, deceased, healthcare, IPC, medical, Ontario, PHIPA, privacy, privacy after death, privacy awareness training, privacy breach, privacy breach nugget, privacy principles

Safeguards: The What, Why, and How

Posted on July 14, 2019 by Meghan Davenport in Blog

Guest Blog Post by Tamara Beitel

Health Information Management Student, Centre for Distance Education, May 2015

Picture this, the reception room of the clinic was clean and organized, the patients were happy as they were quickly seen by an efficient, positive and qualified healthcare team. This is what happens when the clinic has taken the time to design their safeguards.

What are safeguards? Why are they important to you? How do you implement these safeguards into your clinic/office?

These are important questions to consider when thinking about safeguards. Implementing safeguards will make your clients/patients feel more confident that their personal information is safe. They will be more willing to share their information.

Why should you safeguard health information?

It is important to safeguard health information to protect your business, your reputation, and helps employees understand privacy, security and confidentiality. When your clients/patients see that you are actively making sure that their personal information is safe, they feel more confident in sharing that information knowing it will be protected.

What are safeguards?

There are three types of safeguards to use in maintaining the privacy and confidentiality of health information in your clinic.

Administrative safeguards are the policies and procedures and other written documents. Policies and procedures direct staff to properly access patient information, privacy training for staff, monitoring the policies and procedures, dealing with receiving and responding to privacy complaints and inquiries, and dealing with transferring, retaining and destroying personal information contained on electronic devices.

There is privacy breach management to help prevent or in case of a breach what the procedure is in dealing with the breach. In the blog, When is a privacy breach a privacy breach?, it discusses the repercussions of not implementing breach policies and also discusses the legislation that is in place to safeguard personal information from breaches. It is important to acknowledge when a breach has occurred, that you have taken the proper steps to address the breach, and have learned from the breach so as not to repeat the same mistakes.

Examples of Policies and Procedures:

Signed oaths of confidentiality for all affiliates
Screens should be private and not viewable from public areas
Prohibit disclosure of patient diagnostic, treatment and care information over the phone, even to an individual who claims to be the patient

Technical Safeguards are controls that protect and control access to personally identifiable and health information. Technical safeguards include electronic devices, surveillance cameras, security systems, and telephone systems. Let’s focus on electronic health information and computer networks for example.

Audits of the security and computer systems are vital to maintain privacy and security of personal information. Through audits you can enforce compliance of the policies and procedures and see where changes, if any, are needed. It helps the staff to be aware of the importance in protecting the client/patient personal information. They see that there are consequences for not following policies and procedures.

You should also be aware of the risks from external threats. These include:

identity theft
loss of information
information shared with unauthorized individuals
Some examples of external threats are: malware (malicious software, designed to infiltrate or damage a computer system), spyware (a type of malware that collects information, such as key loggers), and irresponsible use of the Internet

Mitigation strategies include:

regular training and refreshers on privacy and security
IT professionals reassess any software/hardware additions/changes

Examples of technical safeguards in electronic medical records (EMRs) are:

Strong passwords
Encryption of data
Using role-based access to limit access to health information to a need to know basis (user-based access rights ((secure)), role-based rights ((more secure)) and context-based rights ((most secure))

Physical Safeguards are the physical measures used to protect electronic health information from unauthorized access. This includes precautions to prevent break-ins, theft of computers and files, unauthorized access to personal information, applying physical barriers and control procedures against threats to personal information, and policies and procedures on locking up at night, computer etiquette, and office set up (how and where computers, fax machines etc. are set up).

Examples of physical safeguards are:

Limiting access to the building, clinic and storage areas
Alarms and security cameras, doors and locks, lighting
Placing fax machines and printers out of sight and reach of public areas

Safeguards Next Steps

All three of the safeguards should be used in conjunction with each other. The use of these safeguards will help protect your client/patient information from breach, identity theft, loss and unauthorized access. You have the power to make the clinic/office safe from threats to security, privacy and confidentiality. Your clients/patients will know that you have taken all reasonable steps to ensure that their personal information has been protected and appreciate it. It is beneficial to your clinic to review all of your safeguard measures with staff and have regular audits, reviews, updates to the policies and procedures, systems, and security of the clinic. There are many self-assessment tools available from the Privacy Commissioners in the provinces and from the federal government. See the resources below.

About the author: Tamara Beitel has successfully completed the Health Information Management Diploma at Centre for Distance Education, she is currently preparing to challenge the National Certification Exam in July 2015. Tamara is looking forward to work as a Certified Health Information Management (CHIM) professional in the area of policy and privacy protection in the Calgary area.

Resources

Privacy Awareness Training– Corridor Interactive – Privacy Awareness in Healthcare: Essentials

Jean Eaton, When is privacy breach a privacy breach? https://informationmanagers.ca/privacy-breach-privacy-breach/

Office of the Information and Privacy Commissioner of Alberta

Office of the Privacy Commissioner of Canada

best practice, clinic management, good security practices, privacy, privacy breach, Safeguards, security

1 2 3 ›»

"I had the pleasure of working alongside Jean to develop a PIA for my Dental Office. I could not have completed this document without her. She was there to help me every step of the way. Her online course made it easy to communicate with her as well as having so many resources to use that were so helpful. Each Module had videos to watch that explained step by step what needed to be done. The PIA document is a lot of information to put together and if it's not enough information on its own, you also need to develop a policy and procedures manual. Jean has developed an amazing resource for this manual that was very user friendly and made a 300 page manual a lot more attainable than creating it on your own. I highly recommend taking Jean's PIA course and having her help throughout the process!"

- Lindsey Cave, Office Manager, Orion Dental Group