Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

Do You Know Where Your Policies And Procedures Are?

Posted on November 15, 2021 by Jean Eaton in Blog

Do You Know Where Your Policies and Procedures Are?

This is a cautionary tale.

And it could save you a lot of embarrassment – even legal issues.

The way a healthcare provider collects, uses and discloses personal health information (PHI) is critical to an efficient healthcare practice.

It’s also required by legislation and professional college regulations and standards.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. #Policies Click to Tweet

Don't let this happen to you!

Everyone in a healthcare practice — including front office staff, wellness practitioners and physicians and other custodians — must be aware of and follow these policies and procedures.

These policies and procedures also become the foundation of your privacy impact assessment (PIA).

That’s why, in this Privacy Breach Nugget, we’ll review a privacy breach investigation report from Alberta's Office of the Information and Privacy Commissioner (OIPC). Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

This report started with an employee suspected of accessing health information for an unauthorized purpose.

It started with at the clinic with a conflict between the employees and the employer.

An employee (Employee A) was on leave from her position at the clinic. Her access to the electronic medical record (EMR) was suspended during her leave.

Employee A wanted to access patient information to support her dispute with management. Over two months, Employee A used Employee B’s credentials to access patient records.

This action is in contravention of the Health Information Act (HIA) sections 27 and 28.

This is where this case becomes even more convoluted and, in fact, a better case study of what not to do.

Employee Dispute

Understanding the Health Information Act

The Health Information Act (HIA) requires the custodian (the physician, in this case) to take reasonable steps to maintain administrative, technical, and physical safeguards to protect patient privacy as required by sections 60 and 63 of the HIA, and section 8 of the Health Information Regulation.

In November 2013, the clinic submitted a privacy impact assessment (PIA) to the OIPC prior to its implementation of an electronic medical record (EMR).

The PIA included written policies and procedures.

The letter to the OIPC accompanying the PIA was signed by two physicians, as well as Employee A who was the privacy officer at that time.

The physician named in the investigative report is not the current custodian at the clinic. The physician was hired in 2015 and therefore not a member of the clinic in 2013 and not involved in the initial PIA submission.

During the investigation, both employees indicated that the policies and procedures to protect patient privacy were in a binder in the clinic, but it was never used or shared with the staff.

Oaths of confidentiality may have been previously signed by the employees, but the documents could not be produced during the investigation.

Section 8 (6) of the Regulation states the ‘custodian must ensure its affiliates are aware of and adhere to all of the custodians administrative, technical, and physical safeguards in respect of health information.’

It’s common practice for clinics to require employees to sign confidentiality agreements and ensure that they receive patient privacy awareness training with regular updates.

But in this investigation, the employees said they never received privacy awareness training.

Show Me Policy and Procedure Checklist

Access To Patient Information

The employees also stated it was common practice at this clinic for individuals to not log off of their EMR account on the computers at the reception desks. It was common practice for other employees to access an open session to quickly perform a task in the EMR.

The investigator concluded that the physician was in contravention of the HIA section 63(1) which requires custodians to establish or adopt policies and procedures that would facilitate the implementation of the Act and regulations.

These specific findings were made:

  • The custodian failed to ensure the clinic employees were made aware of and adhered to the safeguards put in place to protect health information in contradiction contravention of section 8(6) of the regulation.
  • The custodian was in contravention of section 8(6) of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to all of the custodian’s administrative, technical, and physical safeguards with respect to health information. It’s important to note any collection use or disclosure of health information by an affiliate of a custodian is considered to be the collection, use, and disclosure by the custodian.
  • The custodian failed to ensure the employee and the other clinic staff adhered to technical safeguards as required by section 60 of the HIA and section 8(6) of the regulations.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Get Your Privacy Documents In Order

To protect yourself and your practice from patient privacy breaches (and massive fines, see the conclusion to this article), follow these steps.

  1. Find your policies and procedures and review them with all staff and custodians. Make sure you document that this has been done.
  2. Review and update your privacy awareness training and ensure all staff, including custodians, have completed this recently. Make sure you have this documented, including certificates of attendance if available.
  3. Oath of confidentiality documents should be signed by all of all clinic staff and custodians and maintained in a secure location.
  4. Review your privacy impact assessment and ensure all of your current custodians have read this and understand it. Visit this post for more information to help you determine if you need a PIA amendment.

Monitor

This incident occurred in 2016. The OIPC office did not recommend any additional sanctions against the clinic, physicians, or employees.

To get templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership

New Amendments To The HIA

This case might have turned out differently today.

New amendments, as of 2018, provide a provision for fines under the HIA ranging from $2,000 to $200,000.

The public — and our patients — expect and trust us to make sure that their personal health information is kept secure and confidential.

It’s our responsibility to make sure we have these administrative, technical, and physical safeguards in place and are maintained in a consistent fashion.

When you've done the hard work to implement your patient privacy policies and procedures and your privacy impact assessment, make sure you continue your journey and keep these documents up-to-date and current. To help you, sign up for the Practice Management Success Membership.

There are many patient privacy breaches in the news each day, and you never know when it could happen to you.

The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain. If you need to prepare your privacy breach management plan, start your on-line training 4-Step Response Plan right away!

If you need templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership. These tips, tools, templates, and training will help you save time and money to develop and maintain policies and procedures in your healthcare practice.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE Training Video "Can You Spot the Privacy Breach?"

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Why Do You Need Health Information Policies and Procedures?

Healthcare Policies And Procedures: Essential in EVERY Practice

New! Health Information Policy and Procedure Manuals

When Do You Need a PIA Amendment?

When is a Privacy Breach a Privacy Breach?

References and Resources

Alberta Office of the Information and Privacy Commissioner. Investigation Report H2019-IR-01 Investigation into alleged unauthorized accesses and disclosures of health information at Consort and District Medical Society Clinic. May 21, 2019. https://www.oipc.ab.ca/media/996888/H2019-IR-01.pdf

Alberta, clinic, custodian, health, Health Information Act, healthcare, HIA, medical, Patient privacy, physicians, Policies and procedures, Prevent privacy breaches, privacy, privacy breach, Privacy Impact Assessment, reasonable safeguards, templates

Sharing Your Vaccine Status – Privacy Tips

Posted on July 19, 2021 by Meghan in Blog

Sharing Your Vaccine Status – Risks and Benefits

For the safety of yourself and others, schools, employers, or event organizers may ask you for proof of vaccination against the COVID-19 virus. It is your right to decide if you share your personal information with others.

Your personal health information can be misused to access services, apply for credit cards using your name, or other fraudulent purposes.

Throughout the pandemic, each of us have had to make decisions about our health safety and the risks and benefits of our actions. You can apply a similar risk and benefit approach to decide if, when and how you share your vaccine status.

 

vaccine status

Why Share?

Consider the purpose of providing your vaccine status.

Are you giving this information to a physician or nurse for your health care?

Before attending a concert or football game?

Is it a pre-requisite before you can attend school or a sports program?

You may also need to consider the benefit of sharing your vaccine status. If you want to travel out of country, a vaccine passport may be required for international travel purposes.

Protect your gold – your personally identifiable information.

If you decide to share your vaccine status:

  • provide the least amount of information needed.
  • know and trust the person (or the app) that you are sharing your information with. Remember, read the privacy policy!
  • understand how your information will be used.

 

Don't Overshare

Sometimes, answering the question ‘Is your vaccine up-to-date?’ is good enough. You don't always need to share your date of birth, family physician, and health care number, too.

You may be asked to show your proof of vaccine status, but don’t allow the casual requester to make a copy of the vaccination report. (There are some exceptions. Sometimes, you may need to share the information with your healthcare provider or a government official).

Instead, the requester can make a simple notation on their records that you were asked about your vaccine status, and you showed an appropriate proof of vaccination. (See the blog post How To Correctly Identify Patients And Use Photo ID for tips on how to implement this practice in your business).

If You Are Collecting Vaccine Status

If you are a business owner who is collecting personal information like a vaccine status, remember that you must follow the appropriate privacy legislation. In Alberta, private businesses must follow Personal Information Privacy Act (PIPA) legislation.

See the advice document from the Alberta Office of the Information and Privacy Commissioner (OIPC) regarding the reasonable purpose to collect personal information and your responsibilities to keep the information secure.

How Do You Get Your Vaccine Report?

Most often, you will receive a paper confirmation from the healthcare provider at the time that you receive your first and second vaccine dose. In Alberta, you can also download your vaccine record from MyHealth Record, the Personal Health Record for Albertans to access some of their health information, such as lab results, medications, and immunizations drawn from Alberta Netcare.

I shared a short video here to show you how you can register for your own personal account. Some other provinces have a similar provincial electronic health record that individuals can access their own health information.

Keep It Safe

You will probably need to refer to your vaccine status often over the next few years. Keep this information safe and easy to retrieve.

Take reasonable steps to protect your information so that other people can't easily view or take your information without your permission. Will you keep your information in:

  • paper format?
  • your wallet or purse?
  • as a photo on your phone?
    • If so, also consider how you will share the photo. If you give your phone to someone to hold and view the photo of your vaccine status or passport, they may also use the access to your phone for other purposes.
  • upload your vaccine status to a digital app?

Evaluate the Risks and Benefits

Remember to ask yourself why you need to share the information and evaluate the risks and the benefits. It's your information, and you get to decide if, when, and how to share your vaccine status. Take the time that you need to ask the right questions and make an informed choice.

After you share your information, it’s too late to take it back.

Instead, be prepared to respond to a request for your vaccine status with these privacy tips to protect your personal health information.

COVID-19, digital vaccine passport, personal health information, privacy, proof of vaccination, vaccine status

What Does a Ransomware Attack Look Like to Patients?

Posted on June 14, 2021 by Meghan in Blog

What Does a Ransomware Attack Look Like To Patients?

One of my favourite podcasts is Help Me with HIPAA. This weekend I listened to Episode 304 Ransomware Creates a Social Media Privacy Violation Storm while I was spring-cleaning my yard.

Donna and David discuss in (almost) real time a ransomware attack that was currently occurring at the San Diego California’s main health systems, Scripps Health. The attack resulted in practically all of its technology being taken down. The EHR went down, patient portals were down, appointments had to be rescheduled, patients had to be diverted to other hospitals… even their website was down.

This podcast episode isn’t about the technology about ransomware. Donna and David walk you through the impact on patients – from the inconvenience and frustration to the disastrous consequences of not having health information available when it is most needed.

This gripping story reveals how communication failures, systems failures and a lack of information snowballed to negatively affect patients when they needed help the most.

My Takeaways From This Help Me With HIPAA Episode

Ransomware is nefarious and its impact is far-reaching.

  • Patient care is compromised – patient information is not accessible, and it is unknown what information can be retrieved and, if it is retrieved, if it is complete and accurate.
  • Privacy breach – obviously! The hackers have patient, employee and business information and have threatened to release it publicly.
  • BUT – employees are also continuously breaching privacy while they are responding to patient concerns on social media DURING the ransomware attack.
  • Employees cannot access their information to do their jobs – work schedules, payroll, portals to perform their jobs. So, alternate, unauthorized workflows are implemented to get the job done which subsequently results in more breaches.
  • While the press release from Scripps Health indicates that they have trained and prepared personnel, the communication from Scripps to patients, employees, and the public has been disorganized, conflicting, and continuously breaching privacy and confidentiality.

I urge you to listen to this episode (about 30 minutes).

Listen to the Help Me With HIPAA Podcast HERE!

[Start at 18:19 minutes]

What Would You Do?

How would you and your team respond to this type of privacy breach?

Share this episode with the members of your incident response plan. Then, use the scenario to conduct a table-top privacy breach fire drill using your privacy breach management plan.

These table-top privacy breach fire drills are a great demonstration of your commitment as an organization to ensure that you are protecting the privacy confidentiality and security of health information.

Now hop over and listen to the Help Me With HIPAA episode to better understand what a ransomware attack looks like to a patient.

https://helpmewithhipaa.com/privacy-questions-everywhere-ep-304/ [Start at 18:19 minutes]

Communication, healthcare, incident response plan, Patients, privacy, ransomware, ransomware attack

Why Would a Dentist Want Access to the Alberta Netcare Portal?

Posted on April 27, 2021 by Meghan in Blog

Why Would A Dentist Want Access To The Alberta Netcare Portal?

As a dentist or dental hygienist, if you have concerns about a patient’s health history, you may want to have access to the Alberta Netcare Portal to view the patient's history of health concerns and current medications.

Alberta Netcare provides personal health information that is available through a province-wide electronic record system under the authority of the Health Information Act (HIA).

Whether a dentist uses paper records, electronic dental records (EDR), or electronic medical records (EMR), using the Alberta Netcare Portal will help dentists monitor their patient’s interactions with other parts of the health care system.

What is the Alberta Netcare Portal?

Alberta Netcare Portal is the secure vehicle through which patient health information from a variety of health care providers is shared and accessed electronically, by independent and hospital-based health service providers like dentists, physicians, nurses and pharmacists. The Alberta Netcare Portal is a data collection centre for registries and systems such as laboratories, diagnostic imaging facilities, hospitals and some specialized clinics. Alberta Health and Wellness is the Netcare information manager.

Dentist Access Alberta Netcare

Dentists and Dental Hygienists Are Custodians

Dentists were designated in 2010 as authorized custodians under the Health information Act (HIA). Dentists can now request access to Alberta Netcare by showing that they meet the Netcare requirements.

Dentists who manage patients with complex medical conditions or for the provision of treatment requiring sedation or general anaesthesia may require additional information about the patients’ health history. Dentists can use Alberta Netcare Portal to view medication profiles, laboratory data and tests results.

Ensuring reasonable safeguards to protect the privacy and security of personal health information of your patients and residents of Alberta is critical! We want everyone who has access to these health data repositories to follow the same best privacy and security practices. The HIA has regulated requirements for all custodians to follow.

Dentist Access Netcare

Everyone needs to follow the rules to play in the sandbox!

How To Get Started

Before you are granted access to Alberta Netcare Portal, you must complete the following steps.

Dentist Access Alberta Netcare

Step 1: Create or update your Health Information Management Privacy and Security Policies and Procedures including the rules governing the access, collection, use, of health information from Alberta Netcare.

Step 2: Complete a Privacy Impact Assessment (PIA) and submit this to the Office of the Information and Privacy Commissioner for review. For more information on how to complete a PIA, click here.

Step 3: Train your team on privacy awareness. I recommend the Privacy Awareness in Health Care Training — Dental Practices.

Step 4: Contact the eHealth Netcare Support Services Team.

Step 5: Complete a Provincial Organizational Readiness Assessment (pORA). See What is a pORA.

Step 6: Sign an Informational Manager Agreement (IMA) and Review Informational Exchange Protocol (IEP) with Alberta Netcare

For more tips on implementing reasonable privacy and security safeguards for your dental practice, see https://informationmanagers.ca/privacy-impact-assessment-pia/.

You can also watch the FAQ video on this topic by clicking the button below!

Watch the FAQ Video HERE!

You May Also Be Interested In:

What is a pORA?

New Health Information Policy and Procedure Manuals

Do You Need An Expedited Netcare Privacy Impact Assessment?

Who Is Doing the Recalls In Your Dental Practice?

Privacy Awareness in Healthcare Training: Dental Practices

Privacy Impact Assessment – Consultation Options Available!

Jean Eaton

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

Alberta Netcare, ANP, dental hygienist, dentist, healthcare, PIA, PIA Consultant, privacy, Privacy Impact Assessment

Privacy Compliance and Technology in Healthcare

Posted on March 7, 2021 by Meghan in Blog

Privacy Compliance and Technology in Healthcare

Event by Rafiki Technologies with Information Managers

 

A Privacy Impact Assessment (PIA) is a practical business tool in your healthcare practice.

A PIA is an important tool that you can use to help you with project management.

It will help you anticipate risks to the project before it starts and avoid serious problems, wasted time and money.

The PIA process requires you to have written policies and procedures so that you can implement the project effectively and train your staff consistently.

Sometimes a PIA is a requirement of legislation. But it is always a best practice whenever you implement a project that includes personal health information.

Join Rafiki Technologies’ Naheed Shivji and Information Managers’ Jean L. Eaton for a guide to successfully keep your patients’ information safe, follow cyber security best practices, and comply with the requirements of the Health Information Act (HIA).

This on-line workshop will provide you with practical tips to plan your Privacy Impact Assessment (PIA) amendment as well as a strategic cybersecurity checklist.

Who Should Attend?

  • Medical, dental, chiropractic, optometric, pharmacy practices in Alberta.
  • Clinic manager, privacy officer or administrative lead responsible for updating your Privacy Impact Assessment.
  • Healthcare provider

Join Naheed Shivji and Jean L. Eaton for a guide to your PIA completion and technology requirements

Thursday, March 18th, 2021

6:00 PM – 7:00 PM MT

Free Registration

 

Click the button below to register for the workshop!

Register for the Complimentary Workshop HERE!
speakers lady man

Meet Naheed Shivji, Founder & President of Rafiki Technologies Inc.

Naheed has more than 20 years of experience in IT with expertise in the dental industry. He is a passionate entrepreneur helping companies understand and embrace technology and is always searching for business best-practices while giving back to the community.

Naheed works hands-on with his clients to develop winning IT strategies and smooth implementations. He is constantly learning and adapting to industry trends to maintain Rafiki Technologies’ position as a leading managed IT services company in Canada.

Meet Jean L. Eaton, BA Admin (Healthcare), CHIM, CC

Your Practical Privacy Coach and Practice Management Mentor with Information Managers Ltd.

Jean has helped hundreds of physicians, chiropractors, pharmacists, and other healthcare providers complete their Privacy Impact Assessment. She has visited hundreds of practices across Canada.

Jean helps independent healthcare practices with practice administration, privacy awareness, privacy breach management, and legislated regulation compliance in Canada.

Jean's career started as a receptionist and transcriptionist in a busy family medical walk-in practice. She moved into health records and health information management and hospital administration in hospitals, regional health authorities, cancer agencies across Canada and Alberta Health.

Now, Jean specializes her consulting practice to independent healthcare practices who want to start, grow, or improve their practice administration so that healthcare providers can focus on providing quality healthcare services. Jean provides training to businesses including healthcare on practical privacy and security best practices and privacy breach management.

If you are starting your new practice and need your first Privacy Impact Assessment, see our available consultation options here.

You May Also Be Interested In:

 

“What is a Privacy Impact Assessment?”

Read the article and watch the short video now to take a look at what is a PIA, what will a PIA do for you, when you need a PIA, and what is the PIA process.

You can also listen to the Practice Management Nuggets podcast episode here.  

 

“How Long Does it Take to do a New Privacy Impact Assessment?”

Ideally, you should start the Privacy Impact Assessment process 3- 6 months prior to your go-live date. Find out more by reading the article.

cybersecurity, dentist, healthcare, privacy, privacy compliance, privacy consultant, Privacy Impact Assessment, security, technology

Do You Use Employee Privacy and Security Policy and Procedure Checklist Templates?

Posted on December 21, 2020 by Jean Eaton in Blog

Why Do You Need Policy and Procedure Checklists for Onboarding and Exiting Employees?

There is much excitement when we welcome a new hire to our team and there are many administrative tasks that need to take place to get this individual up and running. An employee policy and procedure checklist will help!

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed to protect patient privacy as required by our professional colleges and privacy legislation. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

To ensure that onboarding a new employee is a smooth transition, it is imperative to follow a practical checklist procedure to make sure no important steps are missed. There are also many other managerial benefits to adopting this high-quality process:

  • Better job performance and satisfaction
  • Greater commitment to protecting privacy in the organization
  • Reduced stress and better staff retention

Employee Privacy and Security Policy and Procedure Checklist

Policies and procedures are reasonable safeguards to protect the personal and health information entrusted to us. But polices and good intentions alone are not enough; we also need to take action to ensure our policies are understood and are being followed by all our employees.

Training new and existing staff on privacy and security best practices is instrumental in making your healthcare practice a success and maintaining its fine reputation. Following a systematic approach to welcoming a new employee, transitioning an existing employee into a new position, or offboarding an employee who is exiting will guarantee that valuable privacy and security training and accesses are completed.

Read this Privacy Breach Nugget that explains what can happen if you don’t have these good practices in place. Do You Know Where Your Policies And Procedures Are? 

New Employee Orientation / Onboarding

New employees are a welcome addition to any team and there is a vast amount of training that needs to take place from general procedures on how to handle phone calls to signing confidentiality oaths to becoming familiar with all policies and procedures, in addition to learning the everyday job duties for their own position.

Since privacy is good for business, we do not want to miss any important opportunities to train our new staff on privacy and security best practices. Using the Employee Privacy and Security Checklist will help facilitate training discussions and document the authorized accesses of each employee.

Existing Employees / Annual Review

The checklist will also act as a tool for each employee at their performance review. Provide positive feedback and observations of an employee’s successes in protecting personal information. Discuss opportunities for improvement, too. This is also a good time to review an employee’s current authorized role-based accesses and determine if any changes are needed to match the employee’s current job duties.

Ensure that the employee still has ‘tokens’ that they were given at the time of their hire, like identity badge, keys to the clinic or Alberta Netcare RSA fob.

Privacy and security best practices dictate that confidentiality oaths should be signed on an annual basis and annual privacy awareness and security refresher training should also be provided to all employees. In the event of a privacy incident or breach, it is imperative that a healthcare practice can prove by their documentation that regular privacy and security training is provided to their staff.

Transferring / Exiting Employees

When an employee transitions into a new role or is terminated, review and update the privacy and security checklist to ensure that access and permissions are appropriately modified or terminated.

Custodian Responsibility

Custodians have an obligation to ensure reasonable safeguards to protect the privacy and security of health information. This includes having appropriate policies and procedures in place, as well as demonstrating and documenting that you have implemented your plans. This is a requirement of professional college standards of practice and privacy legislation like the Health Information Act (HIA).

See the article Do You Know Where Your Policies And Procedures Are? to learn what can happen to you if you don’t have your employee training process well documented

The Employee Privacy and Security Checklist will make it easy for you to ensure your new hires, existing employees, and transferring or exiting employees are privacy and security compliant.

 

Download the FREE Report - Employee Privacy and Security Policy and Procedure Checklist Template

Your practice also needs to have policies and procedures that set out how you ensure the privacy, confidentiality, and security of the health information you collect, use, and disclose. Don't know which policies and procedures you need? Download the Privacy and Security Policies and Procedures Checklist below!

Show Me the Policy and Procedure Checklist!

Practice Management Success

If you are a member of Practice Management Success, login and access the webinar replay, and the policy, procedure, and checklist template.

Not a member? Join today!

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies And Procedures Are?

Why Do You Need Health Information Policies and Procedures?

Healthcare Policies And Procedures: Essential in EVERY Practice

New! Health Information Policy and Procedure Manuals

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security expecially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

 

 

checklist, clinic, health care, healthcare, medical, policy, Practice Management Success, privacy, procedure, template

Why You Need Policies and Procedures

Posted on December 7, 2020 by Jean Eaton in Blog

Why You Need Health Information Policies and Procedures

Maybe you’ve heard you need written policies and procedures for your health information, but you’re left asking yourself why it’s so important?

The truth is, without written policies and procedures, you open a healthcare practice up to a whole host of problems, including major legal issues.

In fact, every business needs good practices that apply to your:

  • Information that you collect from patients/clients
  • Website
  • Email
  • Business practices including electronic (or paper) patient records, and computer network
  • Financial information
  • Billing, collection, and payment processing

Within the healthcare industry, there are additional legislation requirements that require specific written health information policies and procedures.

The Health Information Act (HIA) and the Personal Information Privacy Act (PIPA)

As we mentioned, when a custodian collects health information, you must follow the Health Information Act (HIA) in Alberta.

Like most other private businesses in Alberta, private healthcare practices must also comply with the Personal Information Privacy Act (PIPA).

The colleges of regulated health professionals (like the Alberta Dental Association and College (ADAC) and the College of Physicians and Surgeons of Alberta (CPSA), require dentists and physicians to meet the standards of practice which includes compliance to HIA and PIPA legislation.

In addition, the college has other standards of practice that you must meet, including policies and procedures for the collection, use, disclosure, and access of health information.

So, let’s explore further why written policies and procedures are so essential, as well as what can happen without them, and why healthcare practices may not think they need them in the first place.

Benefits of Policies and Procedures

One of the most critical benefits of having policies and procedures in place is that they’re good for business.

Here’s how:

  • They contribute to consistent, efficient workflow.
  • You can figure it out once, write the procedure, tweak it to make it better, and then repeat the same procedure again and again.
  • They help you make better business decisions, like buying supplies, choosing services, and selecting vendors.
  • They help support your accreditation efforts.
  • On-boarding employees the right way with no missed steps is much easier with policies and procedures in place.

If you’re looking for even more proof of the benefits of having written procedures, it can also help you avoid:

  • Internal disputes within your team and external disputes with your patients and clients
  • Re-work and re-training employees
  • Poor customer service
  • Poor reputation
  • Fines and penalties

Fines And Penalties For Not Having Written Policies And Procedures

Fines for not having policies and proceduresYou might be wondering why you would face fines and penalties for not having written policies and procedures in the first place.

The HIA requires the custodian – which includes the dentist or dental hygienist – to take reasonable safeguards to protect the privacy and confidentiality of patients’ health information.

Having written policies and procedures is a common, expected, and reasonable safeguard.

Let’s say you have a privacy breach in your practice or an error (like sending a fax to the wrong number or you are a victim of a phishing or ransomware attack).

You can learn more about what makes a privacy breach a privacy breach here.

If you can’t demonstrate that you had the appropriate reasonable safeguards, like written policies and procedures in place, you are guilty of an offence under the law.

It’s illegal not to have policies and procedures when you collect health information.

If you are guilty of this offence, you are liable for a fine of a minimum of $2,000 and not more than $500,000. (HIA section 107(7)).

3 Policies and Procedures Myths

One reason some healthcare practices fail to have written policies and procedures is because they believe they don’t need them.

Often, this is because they’ve fallen prey to the common myths about policies and procedures.

There are 3 of the common myths that stop healthcare providers and their clinic managers from creating written policies and procedures:

  1. It’s Too Hard

While it does take some skill to write clear, easy to read, and easy to understand policies and procedures, it doesn’t have to be heard. In fact, you can even purchase templates to make this easier.

  1. It Takes Too Much Time

Writing policies and procedures does take some time.

But investing the time to create policies and procedures pays off by preventing suffering from inconsistent or broken procedures, using or disclosing health information in error, and having to pay fines, penalties, public relations nightmares, or spending the time required to run a privacy or security investigation.

  1. It’s A Waste Of Time

Here are a few good reasons that prove writing policies and procedures is not a waste of time:

  • Practical privacy policies and procedures will create a more efficient practice and help you make better business decisions.
  • The policies and procedures become the foundation of your privacy impact assessment.
  • Policies and procedures are pre-requisites for other initiatives, like access to Netcare or other community integration initiatives, and privacy impact assessment (PIA). Click here to learn more about PIAs.
  • You must have them as part of your legislative compliance.
  • It’s the law. Not having policies and procedures regarding the collection, use, disclosure, and access of health information is illegal.

As you can see, written policies and procedures help ensure consistent office procedures and good communication between team members in your healthcare practice.

In addition to those good reasons, you must have good written policies and procedures about how you collect, use, disclose, and provide access to health information to avoid legal problems, fees, penalties, and other problems.

 

Not Sure Which Policies and Procedures That You Need?

Show Me Policy And Procedure Checklist

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies and Procedures Are? 

Why Do You Need Health Information Policies and Procedures?

Healthcare Policies And Procedures: Essential in EVERY Practice

New! Health Information Policy and Procedure Manuals

When Do You Need a PIA Amendment?

What is a PIA?

Alberta, clinic, custodian, health, Health Information Act, healthcare, HIA, medical, physicians, PIPA, Policies and procedures, privacy, Privacy Impact Assessment, reasonable safeguards

5 Low Cost Steps You Can Take Now To Prevent Employee Snooping In Healthcare And Prevent Privacy Breach Pain

Posted on October 22, 2020 by Meghan in Blog

Healthcare Employers, Privacy Officers Need To Prevent Employee Snooping

Human curiosity, interpersonal conflicts, shaming or bullying or financial gains are common motivators for snooping. We seem to be hard-wired to want to peek into someone else’s personal and private information. Snooping is a violation of trust between our patients and the healthcare providers and the people who work for them.

We want our patients to trust us. We need the patients to share their personal information with us so that we can provide the appropriate health services to them. When healthcare providers and employees snoop in our patient’s information we destroy that trust with the patient. When one of our team members is snooping, it harms the effectiveness of our teams and damages morale in the clinic.

When employees are snooping in personal health information, it costs the employer time and money.

What Is Snooping?

Looking at someone’s personal information without having an authorized purpose to access that information to do your job is known as ‘snooping’.

Even when you are “just looking” at personal information but don’t share that information with anyone else, this is still a privacy breach.

It is illegal.

Snooping incidents are on the rise and can cost you time, money, heartache, and headache in your practice.

When there is an offence under the privacy legislation like the Health Information Act, there may be an investigation, charges and court appearances, fines, penalties, and loss of employment.

Snooping is entirely preventable. You can easily use the 5 low cost steps to prevent employee snooping in your healthcare practice.

How Can You Prevent Employee Snooping?

Let’s take a look at the pro-active steps that you can take today to prevent employee snooping.

Step 1. Be A Privacy Champion

The first step is to be a privacy champion. Everyone can be a privacy champion in your role in your practice. Make sure that you understand the legal and regulatory obligations about privacy and how it affects your health care practice and your patients is an important step.

In addition, each practice should have a named privacy officer who is responsible for the accountability and management of privacy compliance in your practice. In fact, simply having a named privacy officer increases the likeliness of spotting  and responding to a privacy breach more quickly than a practice that does not have a privacy officer.

The privacy officer will also ensure that there are appropriate policies and procedures related to the correct collection, use, and disclosure of health information – and appropriate monitoring and enforcement when snooping is suspected.

Step 2. Train Privacy Awareness

Healthcare practices must provide privacy awareness training to all of their employees at their orientation and not rely on the assumption that the employees have learned about privacy awareness in their previous roles.

When the training includes examples of snooping and clear expectations about the potential consequences and sanctions, you have set the stage to define the culture that snooping is not acceptable. Unfortunately, there are many examples of snooping privacy breach incidents in the news. When you discuss these examples, you can increase privacy awareness and learn from someone else's privacy breach.

Use These Examples as part of your training to inform employees about the consequences of snooping
Snooping Conviction Earns 3 Years’ Probation
Recent Privacy Breach Convictions Under Alberta’s Health Information Act

Step 3. Reasonable Safeguards

Implementing reasonable safeguards makes it easier for people to do the right thing and avoid the temptation of snooping.

There are three types of safeguards.

Administrative. Written policies, procedures, training, and oaths of confidentiality are examples of administrative safeguards. When there are clear, written, expectations about privacy and confidentiality, including snooping, we are more likely to achieve positive privacy practices.

Technical. This often includes security related to computers. For example, making sure that we have role-based access to systems and personal health information supports the need to know principle. Computer networks and electronic medical record systems that have user management audit logging and enforce unique user ID are other examples about technical safeguards that allows us to prevent and monitor snooping incidents.

Physical. Restricted access to paper records, ensuring that documents are shredded appropriately are examples of physical safeguards that can prevent employee snooping.

Step 4. Monitor to Prevent Snooping

Knowing that their supervisor, co-worker, or privacy officer is observing their interactions with personal information may help to deter employees from snooping.

The supervisor or privacy officer may routinely monitor user audit logs of systems containing personal information to search for unusual activity or pro-active review of users looking up patient information with the same last name or access to VIP records.

Listen to the podcast, How AI Improves EMR Auditing | Episode #094 to learn about an easy way to perform user monitoring and quickly recognize risks from external bad actors and employee snooping incidents!

Step 5. Consequences When Employees Snoop

Well documented and implemented consequences is step 5 to prevent snooping incidents.

Written sanctions and discipline policy are required both as a deterrent to snooping and to facilitate the quick response to a privacy incident.

When proactive measures fail, consequences may be appropriate. The consequences need to be reasonable, consistent across all providers and employees, and fair to the circumstances.

Written sanctions and discipline policy are required both as a deterrent to snooping and to facilitate the quick response to a privacy incident.

Snooping is a privacy breach, and it will require investigation and reporting. Your written privacy breach policies, procedures and forms will help you to respond quickly to a snooping incident.

Sanctions might also be applied outside of the organization. When a privacy breach is reported to the OIPC or a privacy complaint is made to the OIPC, charges may be laid under the HIA.

Listen to the podcast, 5 Steps to Prevent Employee Snooping | Episode #097 to learn more about snooping and how to prevent it in your healthcare practice!

When we know better, we do better

Download  the Practice Management Success Tip, ‘5 Steps To Prevent Employee Snooping'.

Share and discuss examples of snooping and your related policies and procedures to support privacy awareness in your practice.

prevent employee snooping

The Practice Management Success Tip, 5 Steps to Prevent Employee Snooping, will help you

  • Take 5 practical steps to prevent employee snooping.
  • Provide clarity about what is considered a privacy breach.
  • Contribute to the health information privacy compliance in your healthcare practice.
Show Me The 5 Steps to Prevent Employee Snooping

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Snooping Conviction Earns 3 Years’ Probation

Keeping Privacy Active in the Minds of Clinic Staff

Not sure what is considered a privacy breach? See When is a Privacy Breach a Privacy Breach?

 

 

employee snooping, employee training, prevent employee snooping, privacy, privacy breach, privacy officer role and responsibility, reasonable safeguards

Privacy and Security In Telehealth Summit

Posted on October 5, 2020 by Jean Eaton in Blog

Growth in telehealth has exploded in 2020 – and so have the privacy and security risks!

  • 46% of consumers are now using telehealth to replace cancelled healthcare visits1.
  • Providers have rapidly scaled offerings and are seeing 50 to 175 times the number of patients via telehealth than they did before2.
  • 90% of patients prefer telemedicine over in-office visits3.

At the same time, we have seen:

  • 80% of security breaches caused by stolen or brute forced credentials.
  • Individual’s COVID-19 testing status and contact tracking inadvertently released to the public.
  • Unsecure video conferencing exposing personal information to others.

When you properly balance the opportunities of telehealth with safeguards to protect the privacy and security of our patients’ health information, you can:

  • Improve patient access to healthcare and patient satisfaction;
  • Develop viable new business models;
  • Maintain and improve patient relationships;
  • Implement flexible staffing employment models to respond to the demands of the pandemic.

Announcing Virtual Health Privacy Summit

In this Virtual Health Privacy Summit, we’re going with TED-style talks – short, engaging presentations from industry experts on compelling topics that are important to your clinic, practice, or business.

This event is ideal for chiropractors, physiotherapists, doctors, dentists, dental hygienists, dental assistants, dental technicians, receptionists, treatment coordinators, practice managers, privacy officers, or owners of a healthcare practice.

Register Now for the Virtual Health Privacy Summit!

Privacy and Security In Telehealth Summit

Wednesday October 21, 2020
 

 

Keynote – Dr. Kale Matovich
Natural Way Chiropractic

The Phoenix Plan: How Our Chiropractic Practice Uses Telehealth to Support Our COVID Recovery

The COVID-19 pandemic significantly affected the way chiropractors provide care to their patients. Dr. Kale Matovich will share his experiences of implementing telehealth solutions as an unconventional, yet essential, component of both patient care and business recovery at Natural Way Chiropractic.

 

Dr. Angela Mulrooney
Unleashing Influence

Pivoting To Online Possibilities

COVID-19 has shoved us into the future of technology-adoption in healthcare. If you don’t level up and get with the advancements, you will be left behind. Angela will discuss the best innovations and how you can make the most of them in your healthcare practice to ensure online income during shutdowns and into the future of your practice.

 

Anne Genge
Alexio Corporation

Easy and Affordable Ways to Dramatically Increase Your Security Online

“Anne takes difficult concepts and makes then interesting and understandable for everyone” (Maggie S. – attendee: Privacy & Security for Office Managers Course 2019)

Who is this for? This talk is designed for all people working with computers and will give you excellent strategies for your office and home use.

Most people have antivirus on their computers but breaches, data theft, and ransomware keep happening. Learn why, and learn how a few tweaks to how you’re working can make an exponential difference to the security of your patient and personal data.

 

Jean L. Eaton
Information Managers Ltd.

Practical Telehealth Privacy Tips For Your Practice

Your Practical Privacy Coach, Jean L. Eaton, will share practical privacy tips you need to know to implement your telehealth program including:

  • Patient on-boarding;
  • Informed consent to telehealth notice; and
  • How to easily document telehealth encounters in your practice.

 

Lauren Sergy
Up Front Communication

The Keys to Buy-In: How to Get Staff and Patients On Board With New Practices and Processes

Changing how we work can be difficult. No matter what it is you’re changing – shifting your privacy practices, engaging in telehealth, or implementing some other new process – getting buy-in from staff, partners, and patients is crucial to the success of your initiative. In this fascinating session, communication and speaking expert Lauren Sergy will take you on a high-level look at how persuasion works, revealing key strategies to getting the buy-in and commitment you need from your staff.
Register Now for the Virtual Health Privacy Summit!

This is the second summit from Canada's Health Privacy Summit. 

People are talking about the Canadian Health Privacy Summit! 

“Absolutely great and informative summit :)”

“This was the best presentation on this topic that I have heard in the 50 years that I have practiced.”

“Great opportunity for those of us who are in the dental industry to learn about issues related to digital information security”

“A lot of information packed into an afternoon with an opportunity to learn more and connect with the presenters made this a valuable learning experience. Looking forward to the next summit. Thank you!”

References:

(1, 2) McKinney COVID-19 Consumer Survey, April 17, 2020. https://www.mckinsey.com/industries/healthcare-systems-and-services/our-insights/telehealth-a-quarter-trillion-dollar-post-covid-19-reality# 

(3) Dr. Mike Greiwe, Practice Management Nuggets, 2020 September 22, https://practicemanagementnuggets.live/why-medical-practices-will-have-to-offer-telemedicine/ 

We are Cybersecurity Awareness Month Champions!

The Health Privacy Summit is a Champion of online safety and data privacy. This #CybersecurityAwareness Month we're hosting the Privacy and Security In Telehealth Summit October 21! #BeCyberSmart @StaySafeOnline @Cyber #vhps2020

#CybersecurityAwarenessMonth, privacy, security, telehealth

Keeping Privacy Active in the Minds of Clinic Staff

Posted on August 10, 2020 by Meghan in Blog

As an employer and health care provider, you are responsible to provide training to all of your employees about privacy awareness. If you don’t provide the training, if the employees don’t understand the policies and there is a privacy breach, then the healthcare provider is more likely to be held accountable under the legislation and face penalties including fines and even prison!

Protect your organization and your patients. Equip your staff with the information they need to confidently and correctly handle personal health information. Healthcare businesses who want employee and supervisor level privacy awareness training to support key policies, procedures and risk management programs need a privacy awareness training program.

How do you keep privacy active in the minds of your clinic staff?

Below are a number of simple, low-cost tips that you can use right away to build privacy awareness training in your practice.

Start a privacy awareness training program

The super-easy way to start a simple privacy awareness training program in your organization is to start with your Health Information Privacy and Security Policies and Procedures Manual. Take one policy or procedure a week or month, circulate it for review, and then circulate a short follow-up quiz specific to your organization.

If you circulate the quiz by email, depending on which email service you use, you may be able to use the built-in poll feature. You send out the question and in the poll, your team replies with the best answer. That way, you also build in a way to document that people received and responded to your quiz.

 

Listen to podcasts or watch YouTube videos on privacy awareness during a team meeting

Practice Management Nuggets For Your Healthcare Practice is a regular interview series with practice managers, healthcare providers, or trusted vendors who support healthcare practices. Topics include things you need to know to help you start, grow, fix, or maintain your healthcare practice. The events will be short – about 30 minutes – with nuggets of information that you can use right away. You can listen to these interviews as a podcast or watch them on YouTube.

Recent training topics have included:

  • Remote Working Privacy Breach Pain
  • PIPEDA's Mandatory Privacy Breach Notification
  • Privacy Awareness Quiz #PrivacyMatters

 

Take a Privacy Awareness Training course as a team

Regular privacy awareness training protects patients, employees, and your business.

Privacy Awareness in Healthcare Online Training and Privacy Awareness in Health Care Training – Dental Practices are online courses offered by Corridor Interactive.

In the course best fit for your practice, you and your staff will learn:

  • Understand patient and client privacy rights.
  • Respect personal health information and your obligations.
  • Confidently and correctly handle personal health information.
  • Use reasonable safeguards to protect personal health information (PHI).
  • Recognize and respond to a privacy breach
  • Support key policies, procedures and risk management programs in your healthcare practice.

 

Health Privacy SummitBecome a Practice Management Success member

Practice Management Success is an online community with tips, tools, and templates you can use right away to start, grow, fix, or maintain your healthcare practice. Membership is open to all healthcare practices of any size. Members have access to online resources and networking and support from other clinic managers, practice managers, and healthcare providers in independent community practices!

When you are a member of Practice Management Success, you also have access to the Q&A With Jean training library.Use these privacy awareness training videos where you can select the topics that are of interest to your practice. Each Q&A recording includes training (usually 10-30 minutes), and most have training notes or resources that you can download and use right away.

Members also have access to Policy and Procedure Orientation For Your Employees training videos.

 

Subscribe to Privacy Nuggets Newsletter

Privacy Nuggets are posted on the Information Managers blog and also sent to you by email when you subscribe to the Privacy Nuggets newsletter. These articles explore recent privacy breaches and provide a training tip on how to prevent a similar breach from happening in your practice and tips on how to respond to a similar privacy breach incident. You are welcome to share the articles and emails with your team and use this as a training tool, too!

Recent articles include:

  • 3 Parts to Every Privacy Awareness Training
  • Recent Privacy Breach Convictions Under Alberta's Health Information Act
  • When is a Privacy Breach a Privacy Breach?

CyberSecurity Awareness Month

Cybersecurity Awareness Month

The line between our online and offline lives is indistinguishable. In these tech-fueled times, our homes, societal well-being, economic prosperity and nation’s security are impacted by the internet.

The overarching theme for Cybersecurity Awareness Month 2020 is “Do Your Part. #BeCyberSmart.” The theme empowers individuals and organizations to own their role in protecting their part of cyberspace, with a particular emphasis on the key message for 2020: “If you connect it, protect it.”  If everyone does their part – implementing stronger security practices, raising community awareness, educating vulnerable audiences or training employees – our interconnected world will be safer and more resilient for everyone. 

Information Managers Ltd has been a Cyber Security Champion for many years – and now you can, too!

Cyber Security Awareness Month was launched by the National Cyber Security Alliance (NCSA) & the U.S. Department of Homeland Security in October 2004. This US organization sponsors a multi-media resource campaign each October.

Become a Champion

You can become a Champion, too – and get direct access to all the resources.

  • Demonstrate to team the importance of cyber security at work.
  • Share with your patients – by posters in your practice, blog posts, or your email newsletters – and demonstrate that your practice is cyber aware and you want to share tips with them.
  • If you have team members who work remotely, work from home, use their own mobile devices, or use the internet to connect with apps and resources – give them additional skills to do their work as safely as possible.
  • Help your team members better manage their own personal information in their personal lives – good habits that will help them at work, too!

Becoming a Champion is easy and does not require any financial support. Become a Champion here https://staysafeonline.org/ncsam/champions/.

Throughout October, NCSA will focus on the following areas in our promotions and outreach. Partners are welcome to follow along with NCSA but also encouraged to create their own areas of focus relevant to their organization:

There is a #BeCyberSmart theme for each week in October.

October 1 and 2: Official kick-off for the month

Week of October 5 (Week 1): If You Connect It, Protect It

Week of October 12 (Week 2): Securing Devices at Home and Work

Week of October 19 (Week 3): Securing Internet-Connected Devices in Healthcare

Week of October 26 (Week 4): The Future of Connected Devices

Watch for resources from Information Managers during Cyber Security Month.

 

 When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.  

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

 

#BeCyberSmart, cyber security, healthcare, privacy, privacy awareness in healthcare, privacy awareness training
123›»

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

"The thing that I liked about the 'Engage your patients using automated tools' webinar interview was ideas to have patients engaged in their own health care instead of us doing all the work, simply put. There were a few ideas about how to achieve this in the long run."

--Practice Management Nugget event, 'Engage your patients using automated tools' with Karol Clark

- Michelle from Wabasca

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2021 Information Managers Ltd.