Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

Improve Your Healthcare Practice Security With Audit Logs

Posted on March 15, 2023 by Jean Eaton in Blog

Sharing is caring!

0 shares
  • Share
  • Tweet
  • LinkedIn
  • Email

How to Improve Your Healthcare Practice Security With Audit Logs

When was the last time that you reviewed your access logs in your healthcare practice?

 

In our policies, procedures, risk assessments, and privacy impact assessment submissions, we indicate the reasonable safeguards that we expect to implement in our practices to protect the privacy and security of health information.

But policies and good intentions alone isn’t enough.

We also need to take action on our policies.

We have tools, like audit logs, available to us. Audit logs of our computer and software systems are available to monitor users who have accessed the system and the information contained in the systems.

Audit Log Image

Audit logs monitor and records the transactions of users’ activities in your computer network and your electronic medical record (EMR). It is an automated, real-time recording of who did what, and when, in your system.

For example, when a user logs in to your computer network at the beginning of the work day, the user name, date, time, and perhaps the workstation identifier is recorded in the audit log.

When the user logs into the EMR and creates, views, modifies, or prints from a specific patient record, each activity is recorded in the audit log. In this way, the audit log records both the activity of each user and, in each patient’s electronic medical record, who has accessed that patient’s health information.

You MUST implement, use, and monitor your audit logs

The regular review of the audit logs can demonstrate that the administrative, technical, and physical safeguards that we implement to protect the health information, our people, and our assets are working. Review of audit logs can also identify weaknesses so that corrective action can be taken to improve our privacy and security strategy.

For example, when you review your audit log, you may see that an employee (authorized user) is accessing the EMR after clinic hours. When you investigate, you find out that the billing clerk is doing the billing submission from home.

This might be OK in your healthcare practice (or not). But, now you know what is happening iin your clinic EMR after hours and you can take appropriate action.

 

Audit Logs Are Valuable Metadata

Taken from a different point of view, the audit log provides important additional information, or metadata, about the care and treatment of the patient. Knowing who created a clinic note, wrote a prescription, or reviewed a test result provides a story about the care that the patient received. For this reason, the audit log of the EMR is usually required by legislation to be maintained for the entire retention period of the patient’s record. This is generally 10 or more years for adult patients and longer if the patient was a child at the time that they were a patient or client in your practice.

 

How You Can Use Audit Logs to Improve the Security of Health Information In Your Practice

Snooping, or viewing someone’s health information for an unauthorized use, is not uncommon in healthcare. Snooping is always a breach of confidentiality and trust that our patients give to us.

Sometimes, snooping is because someone is concerned or curious about a family member or friend and don’t intend to do anything ‘bad’ with that information.

We also know that people will sometimes access information for malicious means – that is,  using a ‘criminal intent’ or to be mean or disparaging to the individuals involved.

Say No to Snooping

When you regularly review your audit logs, you

  • Create a deterrent to all users to check something out ‘just this once, no one will know’.
  • Find potential threats or weaknesses in your current systems that you can improve to better mitigate your risks.

Custodians have an obligation to ensure reasonable safeguards to protect the privacy and security of health information. This means having appropriate policies and procedures in place and demonstrate and document that you have implemented your plans.

 

Action Steps That You Should Do Now

Use these points as a checklist to help you start using your audit logs to improve security in your healthcare practice.

  • Computer Network System Audit Log
    • Ensure that your computer network system has audit logging enabled.
    • Access and review your audit log. Don’t skip this step! Don’t assume that your audit logging is properly set up. You must discover how to access the audit log and record the procedure so that you can quickly access the audit log in the event that you have a privacy and security breach or routine security audit.
    • Determine how long your audit log information is accessible or retained. Is it included in your routine backup files? Legislative retention requirements differ but you probably want to keep the audit logs accessible for six months or longer.
    • Can you automate an audit log reporting tool to make it easier to review your audit logs regularly? Who in your healthcare practice is responsible to do this?
  • Electronic Medical Records (EMR) / Electronic Health Records (EHR) System Audit Log
    • Most health information legislation and regulations now require EMR / EHR to include an integrated audit log / access log. Confirm that you have enabled your EMR / EHR audit log.
    • Access and review your audit log. Don’t skip this step! Don’t assume that your audit logging is properly set up. You must discover how to access the audit log and record the procedure so that you can quickly access the audit log in the event that you have a privacy and security breach or routine security audit.
    • Determine how long your audit log information is accessible or retained. Is it included in your routine backup files? Legislative retention requirements differ but you probably want to keep the audit logs accessible for as long as you retain the entire patient record – generally, 10 or more years years.
    • Can you automate an audit log reporting tool to make it easier to review your audit logs regularly? Who in your healthcare practice is responsible to do this? Check out the Practice Management Nuggets Podcast

      How AI Improves EMR Auditing | Episode #094 with Rob Pruter from SPHER.

    • User activity recorded in an audit log is often visible to subsequent EMR users when they access a patient record. In the course of routine workflow, users may observe and question inappropriate access to an individual patient record. Instruct your users to notify the clinic manager or privacy officer if the audit log indicates a suspicious activity.
    • Include the review of audit logs as part of your routine privacy and security monthly audit.

Click the link below to get your copy of the audit templates and the training video!

I Want the Audit Templates to Improve Privacy and Security!

Are you already a member of Practice Management Success?

The instructional video and Privacy and Security Monthly Audit Template is already in your membership!

Click the button now to go to the membership to access your resources.

Go to my Practice Management Success membership

 When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS
audit log, EMR, health care, healthcare practice, medical, reasonable safeguards

Why You Need Policies and Procedures

Posted on March 15, 2022 by Jean Eaton in Blog

Why You Need Health Information Policies and Procedures

Maybe you’ve heard you need written policies and procedures for your health information, but you’re left asking yourself why it’s so important?

The truth is, without written policies and procedures, you open a healthcare practice up to a whole host of problems, including major legal issues.

In fact, every business needs good practices that apply to your:

  • Information that you collect from patients/clients
  • Website
  • Email
  • Business practices including electronic (or paper) patient records, and computer network
  • Financial information
  • Billing, collection, and payment processing

Within the healthcare industry, there are additional legislation requirements that require specific written health information policies and procedures.

The Health Information Act (HIA) and the Personal Information Privacy Act (PIPA)

As we mentioned, when a custodian collects health information, you must follow the Health Information Act (HIA) in Alberta.

Like most other private businesses in Alberta, private healthcare practices must also comply with the Personal Information Privacy Act (PIPA).

The colleges of regulated health professionals (like the Alberta Dental Association and College (ADAC) and the College of Physicians and Surgeons of Alberta (CPSA), require dentists and physicians to meet the standards of practice which includes compliance to HIA and PIPA legislation.

In addition, the college has other standards of practice that you must meet, including policies and procedures for the collection, use, disclosure, and access of health information.

So, let’s explore further why written policies and procedures are so essential, as well as what can happen without them, and why healthcare practices may not think they need them in the first place.

Benefits of Policies and Procedures

One of the most critical benefits of having policies and procedures in place is that they’re good for business.

Here’s how:

  • They contribute to consistent, efficient workflow.
  • You can figure it out once, write the procedure, tweak it to make it better, and then repeat the same procedure again and again.
  • They help you make better business decisions, like buying supplies, choosing services, and selecting vendors.
  • They help support your accreditation efforts.
  • On-boarding employees the right way with no missed steps is much easier with policies and procedures in place.

If you’re looking for even more proof of the benefits of having written procedures, it can also help you avoid:

  • Internal disputes within your team and external disputes with your patients and clients
  • Re-work and re-training employees
  • Poor customer service
  • Poor reputation
  • Fines and penalties

Fines And Penalties For Not Having Written Policies And Procedures

Fines for not having policies and proceduresYou might be wondering why you would face fines and penalties for not having written policies and procedures in the first place.

The HIA requires the custodian – which includes the physician, pharmacist, dentist or dental hygienist – to take reasonable safeguards to protect the privacy and confidentiality of patients’ health information.

Having written policies and procedures is a common, expected, and reasonable safeguard.

Let’s say you have a privacy breach in your practice or an error (like sending a fax to the wrong number or you are a victim of a phishing or ransomware attack).

You can learn more about what makes a privacy breach a privacy breach here.

If you can’t demonstrate that you had the appropriate reasonable safeguards, like written policies and procedures in place, you are guilty of an offence under the law.

It’s illegal not to have policies and procedures when you collect health information.

If you are guilty of this offence, you are liable for a fine of a minimum of $2,000 and not more than $500,000. (HIA section 107(7)).

3 Policies and Procedures Myths

One reason some healthcare practices fail to have written policies and procedures is because they believe they don’t need them.

Often, this is because they’ve fallen prey to the common myths about policies and procedures.

There are 3 of the common myths that stop healthcare providers and their clinic managers from creating written policies and procedures:

  1. It’s Too Hard

While it does take some skill to write clear, easy to read, and easy to understand policies and procedures, it doesn’t have to be heard. In fact, you can even purchase templates to make this easier.

  1. It Takes Too Much Time

Writing policies and procedures does take some time.

But investing the time to create policies and procedures pays off by preventing suffering from inconsistent or broken procedures, using or disclosing health information in error, and having to pay fines, penalties, public relations nightmares, or spending the time required to run a privacy or security investigation.

  1. It’s A Waste Of Time

Here are a few good reasons that prove writing policies and procedures is not a waste of time:

  • Practical privacy policies and procedures will create a more efficient practice and help you make better business decisions.
  • The policies and procedures become the foundation of your privacy impact assessment.
  • Policies and procedures are pre-requisites for other initiatives, like access to Netcare or other community integration initiatives, and privacy impact assessment (PIA). Click here to learn more about PIAs.
  • You must have them as part of your legislative compliance.
  • It’s the law. Not having policies and procedures regarding the collection, use, disclosure, and access of health information is illegal.

As you can see, written policies and procedures help ensure consistent office procedures and good communication between team members in your healthcare practice.

In addition to those good reasons, you must have good written policies and procedures about how you collect, use, disclose, and provide access to health information to avoid legal problems, fees, penalties, and other problems.

 

Not Sure Which Policies and Procedures That You Need?

Show Me Policy And Procedure Checklist

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies and Procedures Are? 

Why Do You Need Health Information Policies and Procedures?

Healthcare Policies And Procedures: Essential in EVERY Practice

New! Health Information Policy and Procedure Manuals

Privacy Impact Assessments (PIA)

 

Alberta, clinic, custodian, health, Health Information Act, healthcare, HIA, medical, physicians, PIPA, Policies and procedures, privacy, Privacy Impact Assessment, reasonable safeguards

Do You Know Where Your Policies And Procedures Are?

Posted on November 15, 2021 by Jean Eaton in Blog

Do You Know Where Your Policies and Procedures Are?

This is a cautionary tale.

And it could save you a lot of embarrassment – even legal issues.

The way a healthcare provider collects, uses and discloses personal health information (PHI) is critical to an efficient healthcare practice.

It’s also required by legislation and professional college regulations and standards.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. #Policies Click to Tweet

Don't let this happen to you!

Everyone in a healthcare practice — including front office staff, wellness practitioners and physicians and other custodians — must be aware of and follow these policies and procedures.

These policies and procedures also become the foundation of your privacy impact assessment (PIA).

That’s why, in this Privacy Breach Nugget, we’ll review a privacy breach investigation report from Alberta's Office of the Information and Privacy Commissioner (OIPC). Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

This report started with an employee suspected of accessing health information for an unauthorized purpose.

It started with at the clinic with a conflict between the employees and the employer.

An employee (Employee A) was on leave from her position at the clinic. Her access to the electronic medical record (EMR) was suspended during her leave.

Employee A wanted to access patient information to support her dispute with management. Over two months, Employee A used Employee B’s credentials to access patient records.

This action is in contravention of the Health Information Act (HIA) sections 27 and 28.

This is where this case becomes even more convoluted and, in fact, a better case study of what not to do.

Employee Dispute

Understanding the Health Information Act

The Health Information Act (HIA) requires the custodian (the physician, in this case) to take reasonable steps to maintain administrative, technical, and physical safeguards to protect patient privacy as required by sections 60 and 63 of the HIA, and section 8 of the Health Information Regulation.

In November 2013, the clinic submitted a privacy impact assessment (PIA) to the OIPC prior to its implementation of an electronic medical record (EMR).

The PIA included written policies and procedures.

The letter to the OIPC accompanying the PIA was signed by two physicians, as well as Employee A who was the privacy officer at that time.

The physician named in the investigative report is not the current custodian at the clinic. The physician was hired in 2015 and therefore not a member of the clinic in 2013 and not involved in the initial PIA submission.

During the investigation, both employees indicated that the policies and procedures to protect patient privacy were in a binder in the clinic, but it was never used or shared with the staff.

Oaths of confidentiality may have been previously signed by the employees, but the documents could not be produced during the investigation.

Section 8 (6) of the Regulation states the ‘custodian must ensure its affiliates are aware of and adhere to all of the custodians administrative, technical, and physical safeguards in respect of health information.’

It’s common practice for clinics to require employees to sign confidentiality agreements and ensure that they receive patient privacy awareness training with regular updates.

But in this investigation, the employees said they never received privacy awareness training.

Show Me Policy and Procedure Checklist

Access To Patient Information

The employees also stated it was common practice at this clinic for individuals to not log off of their EMR account on the computers at the reception desks. It was common practice for other employees to access an open session to quickly perform a task in the EMR.

The investigator concluded that the physician was in contravention of the HIA section 63(1) which requires custodians to establish or adopt policies and procedures that would facilitate the implementation of the Act and regulations.

These specific findings were made:

  • The custodian failed to ensure the clinic employees were made aware of and adhered to the safeguards put in place to protect health information in contradiction contravention of section 8(6) of the regulation.
  • The custodian was in contravention of section 8(6) of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to all of the custodian’s administrative, technical, and physical safeguards with respect to health information. It’s important to note any collection use or disclosure of health information by an affiliate of a custodian is considered to be the collection, use, and disclosure by the custodian.
  • The custodian failed to ensure the employee and the other clinic staff adhered to technical safeguards as required by section 60 of the HIA and section 8(6) of the regulations.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Get Your Privacy Documents In Order

To protect yourself and your practice from patient privacy breaches (and massive fines, see the conclusion to this article), follow these steps.

  1. Find your policies and procedures and review them with all staff and custodians. Make sure you document that this has been done.
  2. Review and update your privacy awareness training and ensure all staff, including custodians, have completed this recently. Make sure you have this documented, including certificates of attendance if available.
  3. Oath of confidentiality documents should be signed by all of all clinic staff and custodians and maintained in a secure location.
  4. Review your privacy impact assessment and ensure all of your current custodians have read this and understand it. Visit this post for more information to help you determine if you need a PIA amendment.

Monitor

This incident occurred in 2016. The OIPC office did not recommend any additional sanctions against the clinic, physicians, or employees.

To get templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership

New Amendments To The HIA

This case might have turned out differently today.

New amendments, as of 2018, provide a provision for fines under the HIA ranging from $2,000 to $200,000.

The public — and our patients — expect and trust us to make sure that their personal health information is kept secure and confidential.

It’s our responsibility to make sure we have these administrative, technical, and physical safeguards in place and are maintained in a consistent fashion.

When you've done the hard work to implement your patient privacy policies and procedures and your privacy impact assessment, make sure you continue your journey and keep these documents up-to-date and current. To help you, sign up for the Practice Management Success Membership.

There are many patient privacy breaches in the news each day, and you never know when it could happen to you.

The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain. If you need to prepare your privacy breach management plan, start your on-line training 4-Step Response Plan right away!

If you need templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership. These tips, tools, templates, and training will help you save time and money to develop and maintain policies and procedures in your healthcare practice.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE Training Video "Can You Spot the Privacy Breach?"

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Why Do You Need Health Information Policies and Procedures?

Healthcare Policies And Procedures: Essential in EVERY Practice

New! Health Information Policy and Procedure Manuals

When Do You Need a PIA Amendment?

When is a Privacy Breach a Privacy Breach?

References and Resources

Alberta Office of the Information and Privacy Commissioner. Investigation Report H2019-IR-01 Investigation into alleged unauthorized accesses and disclosures of health information at Consort and District Medical Society Clinic. May 21, 2019. https://www.oipc.ab.ca/media/996888/H2019-IR-01.pdf

Alberta, clinic, custodian, health, Health Information Act, healthcare, HIA, medical, Patient privacy, physicians, Policies and procedures, Prevent privacy breaches, privacy, privacy breach, Privacy Impact Assessment, reasonable safeguards, templates

Healthcare Policies And Procedures

Posted on November 30, 2020 by Jean Eaton in Blog

Healthcare Policies and Procedures: What Are They and Why Do Practices Need Them?

 

Healthcare policies and procedures are essential tools in EVERY healthcare practice.

We use written policies and procedures to ensure consistent office procedures and good communication between team members, but it doesn’t stop there.

Before we get to the many benefits of healthcare policies and procedures, let’s cover exactly what these terms mean.

Not sure which policies and procedures you need? Click here to find out!

Policies and Procedures Defined

For our purposes today, this is what we mean by these terms:

Policy: A set of ideas or plans that is used as a basis for making decisions.

Procedure: A fixed, step-by-step sequence of activities or course of action.

Both policies and procedures serve several important purposes in a healthcare practice.

Policies and procedures can help you:

  • Protect your practice with consistency in decision making and implementing routine tasks.
  • Provide team members direction and guidelines; help avoid micromanaging. Here’s more information on how policy and procedure checklists help with employee privacy and security.
  • Ensure quality and cost-effective processes.
  • Well thought out policies and procedures reduce re-work and make for more efficient practices.
  • Encourage team members to work to their full scope of responsibilities.
  • Contribute to compliance, including professional standards, HIA, insurance.
  • Protect your healthcare practice by demonstrating your administrative safeguards.

As powerful and effective as policies and procedures can be, they can also pose certain problems or risks if they’re not implemented properly — or if they don’t exist in the first place.

On that note, if you have policies and procedures in place, it’s also imperative to know where they are. Don’t miss this cautionary tale where I tell you why.

If your policies and procedures are unclear or non-existent, these are some of the risks you expose a healthcare practice to:

  • Fines and even jail time for the healthcare provider
  • Increased conflict and potential for misunderstanding within a practice
  • Increased conflict between employees, misunderstanding, and poor customer service
  • Poor business decisions and wasted time and money

Simply talking about your policies and procedures is not a good business strategy! You need to have clear healthcare policies and procedures in place if you want to reap all of their benefits.

So, let’s go over what makes a good healthcare policy with a clear and effective design.

Policies ask WHY and WHAT

Policies are the steps to put your goals into action — policies are proactive.

The WHY: Why is this policy needed? It is the general guide for decision-making.

The WHAT: What do you want to show for programs, activities, and services?

Each year, policies need to be reviewed and authorized by the clinic manager, privacy officer, healthcare provider and/or owners. Your team members need the opportunity to review and understand the policies regularly, too.

Review policies to assure that they reflect what the clinic is doing and that the clinic is following the written policy. Changes may need to be completed and approved.

Now, let’s cover what makes for good procedures before we get to how to create your manual.

Procedures ask HOW

The HOW: How you plan to carry out the objectives and details listed in your policies?

Your procedures should include sufficient detail so a new employee can complete a task based on the information provided.

We’ve discussed the objectives of your policies and procedures for your healthcare practice, now here are some useful tips for actually creating your policies and procedures manual:

  1. Include screen prints if computer-based.
  2. Include video explanations.
  3. Format the policy and procedures so that each policy or procedure is a separate, stand-alone document.
  4. Assign a NUMBER to each policy and procure to make it easy to reference in your PIA, or direct your staff to review. You can use any numbering system that you want — I usually use a sequential numbering system.
  5. Headings make it easier to group your information which makes it easier for the reader to review and then focus on the details that they need. Repeat the same headings throughout the policies and procedures to provide consistency across the manual. Use the headings as needed; not all policies or procedures need all the headings.
  6. Cite legislative and standards requirements, like the HIA.

When you’re implementing changes to these policies and procedures or creating them in the first place, be sure to involve key parties. This includes:

  • Custodian/trustee/business owner
  • Clinic manager/team lead
  • Privacy officer

Remember, implementing a new procedure or policy successfully must always include training and discussion with your team.

Which Privacy and Security Policies and Procedures Do YOU Need?

Without well-documented, written policies and procedures, you open your healthcare practice up to a whole host of problems, including major legal issues.

Does your clinic have appropriate policies and procedures?

Not sure which policies and procedures you need? Click here to find out!

Get the Reliability And Power of Policy and Procedure Templates Without Spending Hours (or Days) Creating Them!

Your healthcare practice needs written policies and procedures to assist you to correctly, efficiently, and confidently collect, use, access, and disclosure of health information so that you can meet your accreditation, privacy impact assessment, and regulatory compliance requirements.

Now For Medical, Dental, Chiropractic and Nursing, Too!

  • Starting with a template saves you time and money
  • Be privacy and security compliant
  • No special software to buy or learn
  • Use your existing MS Word and MS Excel office productivity software
  • One-time fee
  • On-line support
  • Available now!

Click the >> arrow to watch a short demo of the robust manual you can create quicker than you thought possible!

Show Me Policy And Procedure Templates!

Different Policy and Procedure versions available for your specific type of healthcare practice

Medical Doctor Health Information Policy and Procedure

Medical Practice

Dental Practice Health Information Policy and Procedure

Dental Practice

Chiropractor Health Information Policies and Procedures

NEW!
Chiropractic Practice

Nurse Practitioner Health Information Policy and Procedure

NEW!
Nurse Practitioner Practice

Registered Nurse Health Information Policy and Procedure

NEW!
Registered Nurse Practice

Health Information Policy and Procedure Manuals ready for you now!

Step 1: Complete the questionnaire and download the templates

Step 2: Easily generate draft 24+ policies and 28+ procedures and forms using MS Word

Step 3: Edit the documents

Step 4: Video coaching and best practices for the policies and procedures and implementation tips

Step 5: Customize for your healthcare practice

Step 6: Video orientation for your employees

Show Me Policy And Procedure Templates!

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies And Procedures Are?

Why Do You Need Health Information Policies and Procedures?

New! Health Information Policy and Procedure Manuals

Safeguards: The What, Why, and How

When Do You Need a PIA Amendment?

When is a Privacy Breach a Privacy Breach?

clinic, custodian, health, Health Information Act, healthcare, HIA, medical, physicians, PIPA, Policies and procedures, Privacy Impact Assessment, reasonable safeguards

5 Low Cost Steps You Can Take Now To Prevent Employee Snooping In Healthcare And Prevent Privacy Breach Pain

Posted on October 22, 2020 by Meghan in Blog

Healthcare Employers, Privacy Officers Need To Prevent Employee Snooping

Human curiosity, interpersonal conflicts, shaming or bullying or financial gains are common motivators for snooping. We seem to be hard-wired to want to peek into someone else’s personal and private information. Snooping is a violation of trust between our patients and the healthcare providers and the people who work for them.

We want our patients to trust us. We need the patients to share their personal information with us so that we can provide the appropriate health services to them. When healthcare providers and employees snoop in our patient’s information we destroy that trust with the patient. When one of our team members is snooping, it harms the effectiveness of our teams and damages morale in the clinic.

When employees are snooping in personal health information, it costs the employer time and money.

What Is Snooping?

Looking at someone’s personal information without having an authorized purpose to access that information to do your job is known as ‘snooping’.

Even when you are “just looking” at personal information but don’t share that information with anyone else, this is still a privacy breach.

It is illegal.

Snooping incidents are on the rise and can cost you time, money, heartache, and headache in your practice.

When there is an offence under the privacy legislation like the Health Information Act, there may be an investigation, charges and court appearances, fines, penalties, and loss of employment.

Snooping is entirely preventable. You can easily use the 5 low cost steps to prevent employee snooping in your healthcare practice.

How Can You Prevent Employee Snooping?

Let’s take a look at the pro-active steps that you can take today to prevent employee snooping.

Step 1. Be A Privacy Champion

The first step is to be a privacy champion. Everyone can be a privacy champion in your role in your practice. Make sure that you understand the legal and regulatory obligations about privacy and how it affects your health care practice and your patients is an important step.

In addition, each practice should have a named privacy officer who is responsible for the accountability and management of privacy compliance in your practice. In fact, simply having a named privacy officer increases the likeliness of spotting  and responding to a privacy breach more quickly than a practice that does not have a privacy officer.

The privacy officer will also ensure that there are appropriate policies and procedures related to the correct collection, use, and disclosure of health information – and appropriate monitoring and enforcement when snooping is suspected.

Step 2. Train Privacy Awareness

Healthcare practices must provide privacy awareness training to all of their employees at their orientation and not rely on the assumption that the employees have learned about privacy awareness in their previous roles.

When the training includes examples of snooping and clear expectations about the potential consequences and sanctions, you have set the stage to define the culture that snooping is not acceptable. Unfortunately, there are many examples of snooping privacy breach incidents in the news. When you discuss these examples, you can increase privacy awareness and learn from someone else's privacy breach.

Use These Examples as part of your training to inform employees about the consequences of snooping
Snooping Conviction Earns 3 Years’ Probation
Recent Privacy Breach Convictions Under Alberta’s Health Information Act

Step 3. Reasonable Safeguards

Implementing reasonable safeguards makes it easier for people to do the right thing and avoid the temptation of snooping.

There are three types of safeguards.

Administrative. Written policies, procedures, training, and oaths of confidentiality are examples of administrative safeguards. When there are clear, written, expectations about privacy and confidentiality, including snooping, we are more likely to achieve positive privacy practices.

Technical. This often includes security related to computers. For example, making sure that we have role-based access to systems and personal health information supports the need to know principle. Computer networks and electronic medical record systems that have user management audit logging and enforce unique user ID are other examples about technical safeguards that allows us to prevent and monitor snooping incidents.

Physical. Restricted access to paper records, ensuring that documents are shredded appropriately are examples of physical safeguards that can prevent employee snooping.

Step 4. Monitor to Prevent Snooping

Knowing that their supervisor, co-worker, or privacy officer is observing their interactions with personal information may help to deter employees from snooping.

The supervisor or privacy officer may routinely monitor user audit logs of systems containing personal information to search for unusual activity or pro-active review of users looking up patient information with the same last name or access to VIP records.

Listen to the podcast, How AI Improves EMR Auditing | Episode #094 to learn about an easy way to perform user monitoring and quickly recognize risks from external bad actors and employee snooping incidents!

Step 5. Consequences When Employees Snoop

Well documented and implemented consequences is step 5 to prevent snooping incidents.

Written sanctions and discipline policy are required both as a deterrent to snooping and to facilitate the quick response to a privacy incident.

When proactive measures fail, consequences may be appropriate. The consequences need to be reasonable, consistent across all providers and employees, and fair to the circumstances.

Written sanctions and discipline policy are required both as a deterrent to snooping and to facilitate the quick response to a privacy incident.

Snooping is a privacy breach, and it will require investigation and reporting. Your written privacy breach policies, procedures and forms will help you to respond quickly to a snooping incident.

Sanctions might also be applied outside of the organization. When a privacy breach is reported to the OIPC or a privacy complaint is made to the OIPC, charges may be laid under the HIA.

Listen to the podcast, 5 Steps to Prevent Employee Snooping | Episode #097 to learn more about snooping and how to prevent it in your healthcare practice!

When we know better, we do better

Download  the Practice Management Success Tip, ‘5 Steps To Prevent Employee Snooping'.

Share and discuss examples of snooping and your related policies and procedures to support privacy awareness in your practice.

prevent employee snooping

The Practice Management Success Tip, 5 Steps to Prevent Employee Snooping, will help you

  • Take 5 practical steps to prevent employee snooping.
  • Provide clarity about what is considered a privacy breach.
  • Contribute to the health information privacy compliance in your healthcare practice.
Show Me The 5 Steps to Prevent Employee Snooping

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Snooping Conviction Earns 3 Years’ Probation

Keeping Privacy Active in the Minds of Clinic Staff

Not sure what is considered a privacy breach? See When is a Privacy Breach a Privacy Breach?

 

 

employee snooping, employee training, prevent employee snooping, privacy, privacy breach, privacy officer role and responsibility, reasonable safeguards

3 Parts to Every Privacy Awareness Training Plan

Posted on June 15, 2020 by Jean Eaton in Blog, Clinic Manager / Privacy Officer, Employee, Established Practice, New Practice, Services

Reasonable Safeguards – the Myth

You may have heard the myth that the Health Information Act (HIA) is a big scary thing that will interrupt your routine, rob you of countless billable hours, impact all of your staff, turn your office inside out, and change the way that you run your entire business!

Myth Buster

The HIA provides structure and framework for reasonable safeguards that apply to any healthcare business.

One of the requirements of reasonable safeguards includes having a privacy awareness training plan.

     
Privacy Awareness Training

Click the >> arrow to play the video

Privacy Awareness Training

Your Privacy Awareness Training Plan should include learning objectives throughout the year, including

  • Orientation – Standardized training curriculum provided to everyone in you healthcare practice at the time of employment. This is often included during a new employee’s orientation period.
  • Specific – Privacy training that is more detailed and specific to the roles and responsibilities of that individual’s job in your healthcare practice. There may also be specific training when new software, technology, or procedures are introduced anytime throughout the employment.
  • Reward – Keep privacy awareness top of mind all year long. Recognize and reward when individuals follow privacy principles that also add value to your client satisfaction or business efficiency.

It is reasonable to expect regular privacy awareness training, especially at orientation, and a formal review annually.

What a Privacy Awareness Training Plan Can Do For You

When you implement regular privacy awareness training, you will see:

  • Privacy and security expectations clearly communicated among your team.
  • Team members demonstrate their commitment to privacy, confidentiality, security of personal health information.
  • Efficient practices that protect the privacy and save you time and money
  • Team members confidently and correctly handle personal health information using reasonable safeguards

Are You a Myth-Buster?

You can be a myth-buster, too, and implement privacy awareness training in your healthcare practice.

You can easily implement reasonable safeguards and meet HIA requirements to ensure privacy, confidentiality, and security of health information that saves you time, frustration and money.

If you need a little help, I have written a practical privacy awareness training course designed for the community health care practice. This is ideal for orientation of new employees and a refresher for the rest of us.

Privacy Awareness in Healthcare: Essentials

Understand basic health care privacy principles and how to handle personal information, use safeguards, and recognize and report a privacy breach.

Ideal for community-based health care professionals and staff, direct care providers, or anyone working with a health care, dental, or social services organization.

An effective privacy compliance program promotes organizational adherence to the Health Information Act (HIA), Personal Information Protection Act (PIPA) Alberta, Personal Health Information Protection Act (PHIPA) Ontario and the Personal Information Protection of Electronic Documents Act (PIPEDA) requirements. A compliance program is your first line of defense to promote the prevention of criminal conduct, and enforce government rules and regulations, while providing quality care to patients. All three training products help protect practices against privacy and security breaches, improper payments, fraud and abuse, and other potential liability areas through education.

Canadian Health Care Privacy Training Solutions

Corridor’s online training makes it easy for health care organizations to comply with provincial and federal legislation that mandates regular privacy training for all health care providers, staff, and vendors.

Select the training that best fits your needs:

NEW! Privacy Awareness in Healthcare Training: Dental Practices – Alberta

Dentists and dental practices in Alberta are required to have an ongoing privacy program to ensure the protection of private records and patient information. The appropriate collection, use, and disclosure of personal information is critical to maintaining privacy for patients that choose to trust in your practice. Accomplishing this important goal demands an up-to-date training strategy.

Privacy Awareness in Health Care Training – Canada

Includes detailed resources for each province and territory with key terminology and links to applicable privacy legislation. Resources are provided for our ten provinces: Alberta, British Columbia, Manitoba, New Brunswick, Newfoundland & Labrador, Nova Scotia, Ontario, Prince Edward Island, Quebec, Saskatchewan, and three territories: Northwest Territories, Nunavut and Yukon. This new product is ideal for both organizations and vendors who provide health care services or have health care clients in more than one province.

Privacy Awareness in Health Care Training – Alberta 

Includes the mandatory privacy breach notification amendments to the Health Information Act (HIA).

Privacy Awareness in Health Care Training – Ontario

Specifically covers all legislation and rules specific to the province of Ontario including the Personal Health Information Protection Act (PHIPA).

Refresher: Privacy Awareness in Health Care – Alberta

A quiz-based review of Corridor’s full Privacy Awareness course. The Refresher starts with an initial quiz to assess knowledge on the topics and information covered in the full course. Based on the quiz results, one or more of eight Refresher topic quizzes must be completed, each focusing on a specific subject area. The Refresher also includes access to the original course content.

 

Privacy Awareness in Healthcare: Essentials

Grab your on-line course from Information Managers and Corridor Interactive

for just $30 per individual 3 month subscription now!

Click Here to Grab Your On-Line Privacy Awareness Course Now!
Alberta, Canada, Corridor Interactive, dental, Health Information Act, Ontario, Personal Health Information Protection Act (PHIPA), PHIPA, PIPEDA, privacy awareness training, reasonable safeguards

Recent Privacy Breach Convictions Under Alberta’s Health Information Act

Posted on October 15, 2019 by Jean Eaton in Blog

In August 2018, Alberta proclaimed amendments to the Health Information Act (HIA) that requires healthcare providers (custodians) to report a privacy breach with a risk of significant harm to the Office of the Information and Privacy Commissioner (OIPC), the Ministry of Health of Alberta, and of course, to patients affected by the privacy breach.

This requirement that custodians must report a privacy breach to the to the OIPC has resulted in a huge increase in the number of reported privacy breaches in healthcare.

Custodians includes healthcare providers like physicians, pharmacists, chiropractors, dentists, optometrists, registered nurses, health authorities, and more

This is not unexpected. We in healthcare know that there are many privacy breaches that happen everyday. Many of these breaches are honest mistakes. However, an increasing number are intentional, malicious actions intended to harm others.

The benefit of having these breaches reported to a regulator is to improve compliance to reasonable safeguards to protect the health information of Alberta residents. And, as a result, more custodians and affiliates (people that work for a custodian) are being held accountable under the HIA legislation to ensure that they are meeting the reasonable safeguards.

In the first year of mandatory privacy breach notification, the OIPC has received over 1,000 reports. Previously, when privacy breach reporting was discretionary, the OIPC received an average of 130 voluntary reports of privacy breaches annually.

​

What Happens When A Privacy Breach Is Reported To The OIPC

When a privacy breach is reported to the OIPC, the OIPC will review the report and consider the custodian’s determination if a reasonable risk to the patient(s) was present. The OIPC will review the report and consider:

  • agree (or not) with the determination of risk of harm
  • was the patient notified appropriately
  • is there an offence under the HIA
  • is an investigation warranted

If an investigation is indicated, the OIPC will conduct the investigation and report their findings to the Crown prosecutors at Alberta Justice. The Crown will determine if it will continue to press charges under the HIA.

Under the recent amendments to the HIA a custodian or an affiliate or both could if found guilty of an offence is liable for a fine anywhere between $2,000 to $500,000 depending on the circumstances and the nature of the offense. Other sanctions may also be applied by the court.

It takes time to report a privacy breach, have it reviewed and investigated by the OIPC and the Crown, and have individuals charged and appear in court.

We are now starting to see the first cases charged after the August 2018 amendments coming to court and privacy breach convictions under the HIA.

Unauthorized Access By Employees

During a routine internal audit of health records in the Alberta Public Laboratories clinical lab at the Red Deer Regional Hospital identified unauthorized access by lab employees. These breaches were first identified by the hospital during a routine audit of their electronic record systems. The internal investigation between December 2018 and May 2019 identified 2,158 patient records were accessed. Alberta Health Services reported that 30 staff were involved in these breaches and three staff are no longer employed by the lab.

Do you do routine audits? Here’s how.

There have been three recent decisions in from the Alberta provincial courts as a result of mandatory privacy breach reporting legislation.

Suspicious Activity Leads to Investigation And Charges

In June 2018, Alberta Health Services (AHS) received reports of suspicious activity by a billing clerk in Red Deer. An internal audit and investigation indicated that the clerk accessed the health records of 52 Albertans without authorization. AHS reported the breaches to the OIPC in June 2018.

The OIPC opened an offence investigation and referred its findings to the Specialized Prosecutions Branch of Alberta Justice. Charges were laid in July 2019. The former AHS billing clerk received a $5,000 fine on August 2019 and was ordered not to access health information for one year.

Snooping By A Clinic Employee

In another case, an Edmonton medical clinic employee was fined after pleading guilty to health data breach. The employee knowingly accessed health information of two people and made suspicious statements to the two individuals about their personal medical details. The individuals then requested access to the audit logs and the provincial electronic health record system, Alberta Netcare.

The individuals reported a complaint to the OIPC at which point the OIPC conducted an investigation.

The employee was charged in March 2019 and plead guilty in provincial court on September 26, 2019. She was fined $3,500 and ordered to pay a victim surcharge of $525.

Are Your Employees Privacy Aware? Start now!

Unauthorized Access By A Billing Clerk

On September 30, 2019 in Red Deer Provincial Court a billing clerk with Alberta Health Services was fined $8,000 for illegally accessing health records. The clerk opened health records of 81 people over 4,7471 occasions without authorization from his employer and custodian. The court also added the following conditions

  • 1-year probation
  • order to attend treatment and counselling and
  • not be employed in a position that allows him access to health information for 1 year

We will continue to see investigations under the HIA at appearing in our courts. The OIPC is currently investigating over 20 incidents and has flagged 70 more as potential offences.

Each of these incidents involved employees making poor choices about accessing patient health information. Reasonable prevention steps include privacy awareness training for every employee, healthcare provider, and contractor. In addition, every healthcare practice should be, monitoring access to records with routine audits and applying sanctions.

We obviously don’t speak often enough about what is acceptable, appropriate, and authorized access to patient’s health information.

Preventing a privacy breach is always less expensive than managing a privacy breach.

A privacy breach management plan will help you to prevent a breach and, when a breach happens, identify a privacy breach early to limit the risk of harm, size, and the cost of the breach.

 

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE 15 Minute Training Video "Can You Spot the Privacy Breach?"

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Not sure what is considered a privacy breach? See When is a Privacy Breach a Privacy Breach?

 

References

CBC News. Investigation finds improper access to patient records at Red Deer hospital. Posted: Oct 04, 2019 12:48 PM MT | Last Updated: October 4 https://www.cbc.ca/news/canada/edmonton/red-deer-patient-records-breach-1.5309419

CBC News. Edmonton medical clinic employee fined after admitting to health data breaches. Posted: Oct 03, 2019 10:56 AM MT | Last Updated: October 3 https://www.cbc.ca/news/canada/edmonton/health-information-alberta-access-1.5307453

CBC News. AHS billing clerk fined $8,000 for illegally accessing health records Posted: Oct 09, 2019 10:47 AM MT | Last Updated: October 9. https://www.cbc.ca/news/canada/edmonton/ahs-billing-clerk-fined-8-000-for-illegally-accessing-health-records-1.5314783

CBC News. Jennifer Lee. Reports of health-care privacy breaches spike in Alberta. Posted: Oct 11, 2019 5:00 AM. https://www.cbc.ca/news/canada/calgary/health-care-privacy-breaches-spike-alberta-1.5316230

clinic, custodian, health, Health Information Act, healthcare, HIA, mandatory privacy breach notification, medical, physicians, privcy breach, reasonable safeguards

Privacy Practice Review

Posted on November 1, 2013 by Jean Eaton in Clinic Manager / Privacy Officer, Established Practice, Services, Vendor

Demonstrate and ensure compliance to your privacy goals. A Privacy Review is an educational and consultative program that serves as a vehicle to identify best practices as well as opportunities for improvement.

Your medical office wants to promote a culture of respect for privacy and information security throughout the organization when providing patient care and accessing and disclosing protected health information.

To demonstrate and ensure continuing compliance to your privacy goals, a Privacy Review, is an educational and consultative program that serves as a vehicle to identify best practices as well as opportunities for improvement.

The Privacy Review is designed to be transparent in order to maximize the opportunity to impart knowledge and effect change.

Each review presents an opportunity to give members of your staff the information and tools that they need to protect patient privacy.

healthcare, Netcare, privacy compliance, reasonable safeguards, security compliance

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

"I did think that the info session was interesting on how many tools can be created and intertwined for the use of the patient. I do find the sessions good."

--Practice Management Nugget event, 'Engage your patients using automated tools' with Karol Clark

- Debra from Spruce Grove

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2022 Information Managers Ltd.

Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}