Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

Is Remote Working A Good Choice For Your Healthcare Practice?

Posted on March 23, 2020 by Jean Eaton in Blog

In our healthcare practices, we have policies and procedures to identify the reasonable safeguards we need to take to protect personal and health information entrusted to us. But when employees complete their roles off-site, due to personal circumstances or to ensure business continuity in unusual situations, we need to take action to ensure reasonable safeguards are in place to protect the privacy, confidentiality, and security of personal health information.

Remote Work May Be Available To Employees

Working from home is at the sole discretion of the custodian and owner of the clinic. Examples when this may be applicable include:

  • Business continuity – due to technical, physical, or other unusual circumstances.
  • Work levelling – volumes of work are distributed to another location usually for a short duration.
  • Illness / personal circumstances – where an employee is unable to report to work at the clinic but can continue to complete their roles off-site.

Some administrative tasks in a healthcare office – for example, incoming phone calls, appointment booking, appointment reminders, billing, and/or transcription – could be done from a home office environment. Sometimes even follow-up and consultations from the healthcare provider can be done remotely, too.

The healthcare provider or custodian is ultimately responsible to ensure the secure collection, use, and disclosure of health information.

For the purposes of this article, the ‘custodian’ may be the healthcare provider defined by the HIA, or the lead healthcare provider or owner in your practice.

p

In Alberta, a ‘custodian’ is defined under the Health Information Act as a health services provider who is designated in the regulations as a custodian, or who is within a class of health services providers that is designated in the regulations. HIA section 1(1)(f)(ix)

This includes:

  • Physicians
  • Pharmacists
  • Optometrists
  • Opticians
  • Chiropractors
  • Midwives
  • Podiatrists
  • Denturists
  • Dentists and dental hygienists
  • Registered nurses

Is Remote Working Good for Your Business?

As the custodian, you must decide if remote working is a good option for your business. When you decide that this is a viable option for your business, you then need to: 

  • Determine if remote working is appropriate for your employees.
  • Identify what clinic / business resources need to be provided to the employee remote worker.
  • What reasonable safeguards need to be implemented to protect the privacy, confidentiality, and security of personal (health) information.

Likely you will continue to have both on-site and remote workers. The custodian will decide what ratio is appropriate to provide patient care and business goals on both a short term and a long term basis.

Regulations, Standards, Policy

Each healthcare business has multiple sources of sensitive information, including employee, financial, business, and health information. Custodians and owners have a responsibility under a variety of regulations, professional practice standards, and internal policies to protect the privacy, confidentiality, and security of personally identifying information (PII).

Health information is sensitive information. Reasonable efforts must be made to ensure that identifying and sensitive information is protected from unauthorized access, loss, or damage during and outside work hours. What a custodian may consider is reasonable efforts during a pandemic may be different than reasonable efforts from normal circumstances.

During a public health crisis, privacy laws still apply, but they are not a barrier to appropriate information sharing.

Privacy Impact Assessments

In Alberta, section 64 of the Health Information Act (HIA) requires custodians to prepare a privacy impact assessment (PIA) and submit it to the Office of the Information and Privacy Commissioner (OIPC) of Alberta prior to implementing a new administrative or technical process in a healthcare practice.

The OIPC in Alberta requests in its notice of March 19, 2020, that custodians notify the Commissioner about new administrative practices or information systems. Your submission to the OIPC should include a description of what the new program is meant to achieve and any safeguards for health information.

Standards

Your professional college may also have standards of practice and recommendations that impact your decision to implement remote working or virtual healthcare.

The Advice to the Profession series from the College of Physicians and Surgeons of Alberta (CPSA) offers guidance documents to assist you in assessing the security risks and safeguards of electronic communications, including laptops and mobile devices, to further assist you to determine appropriate safeguards.



From the College of Physicians and Surgeons of Alberta (CPSA):

COVID-19: Virtual Care

Electronic Communications & Security of Mobile Devices

Standard of Practice Telemedicine

Review Your Current Policies and Procedures

Don’t cut corners. Instead, build privacy into your decision. Create, review, and update your policies and procedures.

Use the Remote Worker Privacy and Security Checklist to help you document your decisions and expectations with eligible employees.

You may also need to consult your information technology support providers to ensure up-to-date computer and network security has been implemented.

Virtual Healthcare

Healthcare providers may consider providing virtual healthcare services to their patients. The healthcare provider may be at their usual clinic or office location and use all of their existing systems and tools to access patient records in paper or electronic medical records (EMR).

Alternatively, the healthcare provider may be working remotely, too. The same privacy, confidentiality, and security safeguards applies to their home working location.

If you are choosing to implement a new virtual healthcare solution specifically to respond to the current public health emergency, the Office of the Information and Privacy Commissioner (OIPC) of Alberta advises that

“ . . .custodian[s] need to determine what are reasonable safeguards in the circumstances and be prepared to justify their decision. Health custodians should also ensure individuals are aware of any heightened risks to privacy as a result of a new administrative practice or information system being implemented.”

Remember, you can leverage existing technology – like the telephone – to keep in touch with your patients. This likely would not be considered a new administrative or technological practice that would require a PIA. This might also be a great time to fully implement your current patient portal functionality from your EMR vendor, too.

You may decide, based on your evaluation of the potential risks and what reasonable safeguards that you can quickly implement in response to the new public health emergency, that authorizing remote working or a new videoconferencing solution is not the best choice at this time.

Select the process that ensures continuity of care to the patient, including appropriate documentation in the patient record and the protection of the PII.

​Reference

Notice: PIAs During Public Health Emergency, March 19, 2020, Office of the Information and Privacy Commissioner (OIPC) of Alberta

The Practice Management Success Tip, Remote Worker Privacy and Security Checklist, will help you

  • Determine if remote working is appropriate for your employees.
  • Identify what clinic / business resources need to be provided to the employee remote worker.
  • What reasonable safeguards need to be implemented to protect the privacy, confidentiality, and security of personal (health) information.
Show Me The Remote Worker Privacy and Security Checklist

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

What Should I Do If I Think I Have COVID-19?

Do You Know Where Your Policies and Procedures Are? 

 

assessment, healthcare, medical, pandemic, physician, remote working, risk assessment, template, work from home

Do You Use Employee Privacy and Security Policy and Procedure Checklist Templates?

Posted on September 12, 2019 by Jean Eaton in Blog

Why Do You Need Employee Onboarding and Exiting Checklists?

There is much excitement when we welcome a new hire to our team and many administrative tasks need to take place to get this individual up and running.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed to protect patient privacy as required by our professional colleges and privacy legislation. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

To ensure that onboarding a new employee is a smooth transition, it is imperative to follow a practical checklist procedure to make sure no important steps are missed. There are also many other managerial benefits to adopting this high-quality process

  • Better job performance and satisfaction
  • Greater commitment to protecting privacy in the organization
  • Reduced stress and better staff retention

Employee Privacy and Security Checklist

Policies and procedures is a reasonable safeguard to protect the personal and health information entrusted to us. But polices and good intentions alone is not enough; we also need to take action to ensure our policies are understood and being followed by all our employees.

Training new and existing staff on privacy and security best practices is instrumental in making your healthcare practice a success and maintaining its fine reputation. Following a systematic approach to welcoming a new employee, transitioning an existing employee into a new position, or offboarding an employee who is exiting will guarantee that valuable privacy and security training and accesses are completed.

Read this Privacy Breach Nugget that explains what can happen if you don’t have these good practices in place. Do You Know Where Your Policies And Procedures Are? 

New Employee Orientation / Onboarding

New employees are a welcome addition to any team and there is a vast amount of training that needs to take place from general procedures on how to handle phone calls to signing confidentiality oaths to becoming familiar with all policies and procedures, in addition to learning the everyday job duties for their own position.

Since privacy is good for business, we do not want to miss any important opportunities to train our new staff on privacy and security best practices. Using the Employee Privacy and Security Checklist will help facilitate training discussions and document the authorized accesses of each employee.

Existing Employees / Annual Review

The checklist will also act as a tool for each employee at their performance review. Provide positive feedback and observations of an employee’s successes in protecting personal information. Discuss opportunities for improvement, too. This is also a good time to review an employee’s current authorized role based accesses and determine if any changes to match the employee’s current job duties is needed.

Ensure that the employee still has ‘tokens’ that they were given at the time of their hire, like identity badge, keys to the clinic or Alberta Netcare RSA fob.

Privacy and security best practice dictate that confidentiality oaths should be signed on an annual basis and annual privacy awareness and security refresher training should also be provided to all employees. In the event of a privacy incident or breach, it is imperative that a healthcare practice can prove by their documentation that regular privacy and security training is provided to their staff.

Transferring / Exiting Employees

When an employee transitions into a new role or is terminated, review, and update the privacy and security checklist to ensure that access and permissions are appropriately modified or terminated.

Custodian Responsibility

Custodians have an obligation to ensure reasonable safeguards to protect the privacy and security of health information. This includes having appropriate policies and procedures in place, as well as demonstrating and documenting that you have implemented your plans. This is a requirement of professional college standards of practice and privacy legislation like the Health Information Act (HIA).

See the article Do You Know Where Your Policies And Procedures Are? to learn what can happen to you if you don’t have your employee training process well documented

The Employee Privacy and Security Checklist will make it easy for you to ensure your new hires, existing employees, and transferring or exiting employees are privacy and security compliant.

 

Download the FREE Report - Employee Privacy and Security Policy and Procedure Checklist Template

If you are a member of Practice Management Success, login and access the webinar replay, and the policy, procedure, and checklist template.

When we know better, we can do better…

Jean L. Eaton is constructively obsessive about privacy, confidentiality, and security expecially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

 

 

clinic, health care, healthcare, medical, policy, Practice Management Success, privacy, procedure, template

Privacy Challenge #3 Privacy Collection Notice

Posted on October 17, 2015 by Meghan Davenport in Archive

Privacy Collection Notice

Every time we gather information from a client, we're entering into a trust relationship with them. We trust them to provide accurate information, and they trust us to keep it private and safe.

So it's only fair that we are transparent with our clients about our policies and procedures regarding the collection and safe-keeping of CollectionNoticetheir important confidential information. We want them to understand:

  • Why we are collecting their information
  • How we are using their information
  • How we are protecting their information
  • How our organization meets the rules and regulations of our industry

Read More

#15DayPrivacyChallenge, 15 Day Privacy Challenge, Collection Notice, Health Information Act, HIA, Practical Privacy Coach, privacy, template

The Honest Spin Doctor

Posted on July 24, 2014 by Jean Daffin in Blog, Practice Management Nugget Interview

A press release can be used to announce an event like community wellness day, product launch or some other newsworthy event. A well written press-release makes it easy for the media to make you look good.

The Honest Spin Doctor 

is a tightly written book that will give you what you need to know about media relations, crisis communications and the need for organizations to have policies that guide their behaviour when it comes to the media and social media.  Tweet this!

This easy to read, easy to use, valuable resource is ideal for healthcare practices to

  • Prepare press release about your practice
  • Develop communications and social media policies
  • Respond to media inquiries

 

Grant Ainsley Grant Ainsley Inc.

Grant Ainsley
Grant Ainsley Inc.

Grant Ainsley is an award-winning journalist and public relations professional, who has interviewed some of the biggest names in Canada.  His newest book, self-published The Honest Spin Doctor:  Navigating the Media Maze is now available.

Practice Management Nugget webinar interview with Grant Ainsley recorded live on Thursday July 24, 2014.

Try out a Membership Trial to access this Practice Management Nugget interview and other webinar replays and resources. And if you’re already a member, just log-in and enjoy!

 

communications policy, honest spin doctor, media relations, Practice Management Mentor, Practice Management Nugget, press release, self-publishing, social media, template

Privacy Breach – 3 Mistakes in Managing a Privacy Breach

Posted on June 3, 2014 by Meghan Davenport in Blog, Privacy, Confidentiality, and Security Series Webinar

Privacy, Confidentiality, Security for Medical Offices©

Privacy Breach – 3 Mistakes in Managing a Privacy Breach

Privacy is a huge issue for the public right now, and as more businesses, health care practices, and even your grocery store collect more information about you, the risks of having that information stolen, misused, or compromised, are huge.

Having a privacy breach can cost you time, money, and trust of your patients.

Attend this webinar, 3 Mistakes in Managing a Privacy Breach, to help you understand the three common mistakes in managing a privacy breach, and ensure that you and your staff take the right steps to contain, manage, and prevent privacy breaches.

 

Pssst – if you are a member, click this link for an EXCLUSIVE coupon. Not a member? Become one!

 

This webinar will teach you:

  • how to identify a privacy breach
  • how to notify a privacy breach
  • how to communicate about a privacy breach

 

Register for the Webinar!

 

Privacy Breach – 3 Mistakes in Managing a Privacy Breach

Tuesday July 29th, 2014  12:00pm – 1:00pm MST

Live webinar with Jean Eaton, the Practical Privacy Coach and Practice Management Mentor.

Discussion, resources, and template procedures that you can use right away!

Replay will be available for 1 week. Register today!

The Privacy, Confidentiality and Security Series include topics such as privacy awareness, privacy breaches, and email with patients. Seminars last from an hour to an hour and a half, and cover important information for new patient care providers and support staff, as well as practice managers, healthcare providers, or trusted vendors who support healthcare practices. Privacy, Confidentiality and Security© series is hosted by Jean Eaton (the Practice Management Mentor) of Information Managers Ltd.

 

practice management, privacy breach, template

Fax cover page – friend or foe?

Posted on November 25, 2013 by Jean Eaton in Blog

Fax cover pages often act as ‘dividers' to piles of paper – electronic or hard copy.  Many offices still receive faxes by hard copy – and this remains the default assumption as the ‘lowest common denominator'.  I think that the dividers still serve a purpose.

Perhaps more importantly, there is a common practice that the cover page is the identifier of where the document originated, the intended purpose the information was provided, who the information is addressed, and who authorized the sending of the information.

Often the cover page provides clarity to the identify of the individual the information is about.  Many healthcare providers use the cover page as their ‘disclosure log' to meet legislative compliance to clearly document disclosure of health information of a individual.  I don't think it is feasible to add the information to the source document.

The receiver of the information needs this information in order to determine if they will accept the responsibility of collecting the information and the purpose for that information.

Perhaps the better approach is to make the cover page more useful – to both the receiving and sending party – by improving the documentation and adding suggested indexing categories.  This can be easily generated if the sending party is using an EMR.

See also:  Canadian EMR http://blog.canadianemr.ca/canadianemr/2013/11/a-complication-of-paper-faxes.html

best practice, cover pages, disclosure log, EMR index, fax, health information, healthcare, template

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

"Jean Eaton is one of those 'critical suppliers' you keep in your email contacts list, no matter what company you manage. She really knows her stuff and delivers prompt, accurate information on time. Her courses are interesting, informative, and I like the opportunity to meet with classmates who have similar challenges."

- Kevin Morris, Shape MD, Team Leader/Office Manager

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2020 Information Managers Ltd.