Information Managers
  • Home
  • Services
    • All Services
  • Templates
  • Blog
  • Contact Us
  • Practice Management Success
  • Podcasts

Do You Know Where Your Policies And Procedures Are?

Posted on November 15, 2021 by Jean Eaton in Blog

Do You Know Where Your Policies and Procedures Are?

This is a cautionary tale.

And it could save you a lot of embarrassment – even legal issues.

The way a healthcare provider collects, uses and discloses personal health information (PHI) is critical to an efficient healthcare practice.

It’s also required by legislation and professional college regulations and standards.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. #Policies Click to Tweet

Don't let this happen to you!

Everyone in a healthcare practice — including front office staff, wellness practitioners and physicians and other custodians — must be aware of and follow these policies and procedures.

These policies and procedures also become the foundation of your privacy impact assessment (PIA).

That’s why, in this Privacy Breach Nugget, we’ll review a privacy breach investigation report from Alberta's Office of the Information and Privacy Commissioner (OIPC). Whether you have a new practice, or an existing practice, we have a number of services and resources designed to help you manage your practice in a way that not only meets legal requirements, but is streamlined and efficient, and keep your information secure.

What Happened

This report started with an employee suspected of accessing health information for an unauthorized purpose.

It started with at the clinic with a conflict between the employees and the employer.

An employee (Employee A) was on leave from her position at the clinic. Her access to the electronic medical record (EMR) was suspended during her leave.

Employee A wanted to access patient information to support her dispute with management. Over two months, Employee A used Employee B’s credentials to access patient records.

This action is in contravention of the Health Information Act (HIA) sections 27 and 28.

This is where this case becomes even more convoluted and, in fact, a better case study of what not to do.

Employee Dispute

Understanding the Health Information Act

The Health Information Act (HIA) requires the custodian (the physician, in this case) to take reasonable steps to maintain administrative, technical, and physical safeguards to protect patient privacy as required by sections 60 and 63 of the HIA, and section 8 of the Health Information Regulation.

In November 2013, the clinic submitted a privacy impact assessment (PIA) to the OIPC prior to its implementation of an electronic medical record (EMR).

The PIA included written policies and procedures.

The letter to the OIPC accompanying the PIA was signed by two physicians, as well as Employee A who was the privacy officer at that time.

The physician named in the investigative report is not the current custodian at the clinic. The physician was hired in 2015 and therefore not a member of the clinic in 2013 and not involved in the initial PIA submission.

During the investigation, both employees indicated that the policies and procedures to protect patient privacy were in a binder in the clinic, but it was never used or shared with the staff.

Oaths of confidentiality may have been previously signed by the employees, but the documents could not be produced during the investigation.

Section 8 (6) of the Regulation states the ‘custodian must ensure its affiliates are aware of and adhere to all of the custodians administrative, technical, and physical safeguards in respect of health information.’

It’s common practice for clinics to require employees to sign confidentiality agreements and ensure that they receive patient privacy awareness training with regular updates.

But in this investigation, the employees said they never received privacy awareness training.

Show Me Policy and Procedure Checklist

Access To Patient Information

The employees also stated it was common practice at this clinic for individuals to not log off of their EMR account on the computers at the reception desks. It was common practice for other employees to access an open session to quickly perform a task in the EMR.

The investigator concluded that the physician was in contravention of the HIA section 63(1) which requires custodians to establish or adopt policies and procedures that would facilitate the implementation of the Act and regulations.

These specific findings were made:

  • The custodian failed to ensure the clinic employees were made aware of and adhered to the safeguards put in place to protect health information in contradiction contravention of section 8(6) of the regulation.
  • The custodian was in contravention of section 8(6) of the regulation which requires custodians to ensure that their affiliates are aware of and adhere to all of the custodian’s administrative, technical, and physical safeguards with respect to health information. It’s important to note any collection use or disclosure of health information by an affiliate of a custodian is considered to be the collection, use, and disclosure by the custodian.
  • The custodian failed to ensure the employee and the other clinic staff adhered to technical safeguards as required by section 60 of the HIA and section 8(6) of the regulations.

Privacy Breach Nuggets You Need to Know

Privacy breaches are in the news every day. The more you know how breaches can affect you allows you to be more proactive to prevent privacy breach pain.

Get Your Privacy Documents In Order

To protect yourself and your practice from patient privacy breaches (and massive fines, see the conclusion to this article), follow these steps.

  1. Find your policies and procedures and review them with all staff and custodians. Make sure you document that this has been done.
  2. Review and update your privacy awareness training and ensure all staff, including custodians, have completed this recently. Make sure you have this documented, including certificates of attendance if available.
  3. Oath of confidentiality documents should be signed by all of all clinic staff and custodians and maintained in a secure location.
  4. Review your privacy impact assessment and ensure all of your current custodians have read this and understand it. Visit this post for more information to help you determine if you need a PIA amendment.

Monitor

This incident occurred in 2016. The OIPC office did not recommend any additional sanctions against the clinic, physicians, or employees.

To get templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership

New Amendments To The HIA

This case might have turned out differently today.

New amendments, as of 2018, provide a provision for fines under the HIA ranging from $2,000 to $200,000.

The public — and our patients — expect and trust us to make sure that their personal health information is kept secure and confidential.

It’s our responsibility to make sure we have these administrative, technical, and physical safeguards in place and are maintained in a consistent fashion.

When you've done the hard work to implement your patient privacy policies and procedures and your privacy impact assessment, make sure you continue your journey and keep these documents up-to-date and current. To help you, sign up for the Practice Management Success Membership.

There are many patient privacy breaches in the news each day, and you never know when it could happen to you.

The more you know about the breaches and how they can affect you allows you to be more proactive to prevent privacy breach pain. If you need to prepare your privacy breach management plan, start your on-line training 4-Step Response Plan right away!

If you need templates of policies and procedures for your healthcare practice, be sure to sign up for the Practice Management Success Membership. These tips, tools, templates, and training will help you save time and money to develop and maintain policies and procedures in your healthcare practice.

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

Click Here To Register for the FREE Training Video "Can You Spot the Privacy Breach?"

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Why Do You Need Health Information Policies and Procedures?

Healthcare Policies And Procedures: Essential in EVERY Practice

New! Health Information Policy and Procedure Manuals

When Do You Need a PIA Amendment?

When is a Privacy Breach a Privacy Breach?


References and Resources

Alberta Office of the Information and Privacy Commissioner. Investigation Report H2019-IR-01 Investigation into alleged unauthorized accesses and disclosures of health information at Consort and District Medical Society Clinic. May 21, 2019. https://www.oipc.ab.ca/media/996888/H2019-IR-01.pdf

Alberta, clinic, custodian, health, Health Information Act, healthcare, HIA, medical, Patient privacy, physicians, Policies and procedures, Prevent privacy breaches, privacy, privacy breach, Privacy Impact Assessment, reasonable safeguards, templates

Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments – A Complete Step-by-Step Course

Posted on October 28, 2020 by Jean Eaton in Services, Training

Do you need a Privacy Impact Assessment?

Or do you need to amend an existing PIA?

Privacy Impact Assessments are just one of the requirements you need in order to fulfill your obligations in Alberta’s Health Information Act (HIA) and other legislation and are an important aspect of developing privacy best practices in your office.

And a little help along the way is always a good thing.

Practical Privacy Coach, Jean  L. Eaton of Information Managers, is constructively obsessive about privacy, confidentiality, and security when it comes to the handling of personal and health information, particularly in primary health care settings. Jean has helped hundreds of healthcare providers, vendors, and health and social service delivery organizations and associations complete their Privacy Impact Assessment which have been successfully accepted by organizations' management and regulators. Jean has customized and delivered privacy training programs for privacy officers, records management professionals, implementation teams, and healthcare providers across Canada and the US.

Now you can have access to five modules to help you learn everything you need in order to complete your own PIA.

     

**** New PIA Amendment Track ****

Each module includes a video training, as well as templates, tools, resources and case studies to build on in each lesson. You can use this scenario to guide you through the PIA process in healthcare. If you work in healthcare or privacy or records management and need to do a PIA, this e-course is for you.

 

You need a Privacy Impact Assessment (PIA) when

  • You  are opening a new clinic or establishing a new health services program.
  • You are changing administrative procedures or technology equipment, services, or vendors
  • You are changing how you collect and use personal information,
  • You are implementing or changing an Electronic Medical Records (EMR)
  • You are sharing health information with another healthcare provider, organization, Primary Care Network or other health program.
  • You want to prevent a privacy breach,
  • You have a Privacy Impact Assessment that was written more than 2 years ago (It is time to review and update this!)

 

If you are a healthcare provider, practice manager, and you need your first Privacy Impact Assessment, this e-course is for you

Are you in a group or solo practice with direct patient care, for example:

  • Physician
  • Pharmacist
  • Registered nurse
  • Optometrist or optician
  • Chiropractor
  • Physiotherapist
  • Midwife
  • Podiatrist
  • Dentist, dental hygienist or denturist
  • Audiologist
  • Mental health practicitioner
  • Laboratory, x-ray, and imaging technician
  • Paramedic

A PIA should be as common place to a healthcare practice as a business plan is to a business. BUT most healthcare practices don’t know this and often don’t know that a PIA is  usually part of their professional college requirements and often even a legislated requirement! Prevent malicious errors, omissions or attacks that could result in fines and even jail time for the business, healthcare provider, employee, or vendor by completing a PIA.

If your Privacy Impact Assessment was written more than 2 years ago this online on-demand course is for you!

The Clinic Manager and Physician Lead and Privacy Officer  must ensure its content is updated to reflect the current state of administrative, physical and technical controls.

BONUS! Checklist to update your PIA to meet recent changes to Alberta's Netcare Portal. If your practice has completed a PIA and now you need to update the PIA, you receive a checklist of items that you need to consider to refresh your PIA.

 

If you a vendor that supports healthcare practices this e-course is for you!

BONUS! One hour tele-consult with Jean, “Create a branded Privacy Impact Assessment Readiness Package”. Jean will work individually with you to review your documentation and coach you on how to prepare the package to give to healthcare practices.

BONUS! Vendor PIA live webinar includes Vendor non-disclosure agreement, Information Manager Agreement, GAP Analysis, Computer Network Narrative templates.

 

Jean has helped hundreds of physicians, chiropractors, pharmacists, and other healthcare providers complete their Privacy Impact Assessment. She has visited hundreds of practices across Canada. But time and geography limit my ability to visit each healthcare practice that needs a PIA. That's why I developed this on-line interactive course to help you learn everything you need in order to review, amend, or create your own PIA. Each module includes a video training as well as templates, tools, resources and two common case studies to build on each week. You can use these scenarios to guide you through the PIA process.

You know your practice better than anybody else. If you had the right tools, at the time most convenient for you and a mentor to help you, you can develop good office practices, meet legislated and college requirements, and successfully complete your Privacy Impact Assessment requirements.

Using a Webinar on-line interactive program, you will get great content and mentoring from Jean Eaton and once a month during the Q&A live training webinars. Learn the PIA process with these modules.

The modules include:

Module 1:

PIA to Protect Your Practice, Your Assets, and Your Patients

 

Module 2:

Information Flows–-the Foundation of Your PIA

 

Module 3:

Risk Analysis and Mitigation Strategies

 

Module 4:

PIA Format - Pulling it All Together

 

Module 5:

Complete Your PIA Submission

BONUS Module 6:

Create a Branded Privacy Impact Assessment Readiness Package

The replays, tools, and resources will be available to you right away.

If you are new to this field, I suggest that you first register for Privacy Awareness in Healthcare: Essentials to master the key definitions and concepts.

Corridor_Privacy_Awareness_In_Healthcare_banner

Privacy Awareness in Healthcare: Essentials

 

Protect Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments –

A Complete Step-by-Step Course

5 Core Modules, Templates, Training, and Tools to Get Your PIA Done!

Monthly Live Q&A Training Webinars

$450.00 (plus GST)

Purchase e-course

 

You will get

  • Learning Resource Guide for EACH module – how-to explanations, templates, and resource lists
  • Checklists to help you plan your PIA
  • MindMap of the entire PIA process
  • PIA project plan timeline templates
  • Checklists of  personal and health information privacy and security policies that you need in your practice
  • Many examples of projects in medical, dental, chiropractic and more practices including new PIA project and PIA amendments.
  • Explanation and real-life examples of key terms that you need to know and include in your PIA
  • Strategies and templates of risk management assessments that you can customize
  • This E-course might qualify for CPE credits, too!

 

BONUS!  Monthly live Q&A webinar training with Jean to help you get un-stuck with your PIA.

BONUS! Checklist to update your PIA to meet recent changes to Alberta's Netcare Portal.

BONUS! Private discussion group with other registered participants of this course to network and support each other on your PIA journey and continue to help you after this course closes.

BONUS! Regular updates of privacy resources and templates that you can use.

 

If you hired a consultant to do the work of the PIA process for you it may cost you as much as $3,000!

And then…when the consultant is done, they take their knowledge out the door with them.

Invest only $450 in this course and you'll have what you need to do your first PIA project today…and every project in the future!

Jean Introduction Ecourse PIA (1)


I had the pleasure of working alongside Jean to develop a PIA for my Dental Office. I could not have completed this document without her. She was there to help me every step of the way. Her online course made it easy to communicate with her as well as having so many resources to use that were so helpful. Each Module had videos to watch that explained step by step what needed to be done. The PIA document is a lot of information to put together and if it's not enough information on its own, you also need to develop a policy and procedures manual. Jean has developed an amazing resource for this manual that was very user friendly and made a 300 page manual a lot more attainable than creating it on your own. I highly recommend taking Jean's PIA course and having her help throughout the process!”

~~Lindsey Cave, Office Manager, Orion Dental Group

 

What people are saying about our PIA e-courses and in-person workshops:

Q: What did you learn from this workshop?

Participant's Responses:

  • Understanding of need / use of Information Management Agreement's and an ‘Evaluation” agreement.
  • Lots – when / how to make amendments.
  • Compliance / requirements of PIA and their purpose.
  • PIA information; agreements, updating.

 

Q: What do you feel was the biggest benefit to attending this workshop?

Participant's Responses:

  • Understanding a PIA.
  • Having a better understanding of PIA's and everything included in requirements.
  • Gain a better overview of my PIA and what I need to add; organizational strategy.
  • Clear vision of work to be done.

“When Jean told us about the Protest Your Practice, Your Assets, and Your Patients with Privacy Impact Assessments E-course and explained how the course will help us better understand the Health Information Act, our responsibilities as healthcare providers and our relationship with our vendors and partners, I signed up right away! Thanks again – it is no doubt that we have hitched our wagon to a shining star.”
~~Bill Stowe, Business Manager Synergy Respiratory & Cardiac Care

“This was my first ever time I had to work on a PIA and I was a little nervous about doing it efficiently – but you really made it as simple and straight forward as possible. Thank you for being available for my questions when I had them. I would easily recommend Privacy Impact Assessments to Protect Your Practice course for anyone to do their own PIA's! Thank you so much!”
~~Karen Sarabura, Clinic Manager and Privacy Officer, CGA Medical Imaging, Alberta

“I attended the Privacy Impact Assessment Walk-through workshop (for ARMA members). Jean shared resources and on-going networking opportunities. The biggest benefit to me is to know that there is help out there in moving forward with our Privacy Impact Assessment responsibilities.”
~~Ellen Sauvé, Parkland County

Comments from other E-course participants:

“Learning about how all the information gathering systems interact was the most valuable part of this workshop”

“Excellent presenter – variety of learning opportunities.”

“Jean is an excellent speaker and I enjoyed the audio seminar you gave today and I learned a lot from your seminar.”
~~Annette T (AHIMA webinar, Three Mistakes in Managing a Privacy Breach”)

“Jean Eaton is one of those ‘critical suppliers' you keep in your email contacts list, no matter what company you manage. She really knows her stuff and delivers prompt, accurate information on time. Her courses are interesting, informative, and I like the opportunity to meet with classmates who have similar challenges.”
~~Kevin Morris, Shape MD, Team Leader/Office Manager

 

Buy e-course

In-Person Workshops Are Now Available 

Are you a hands-on kinda person?

Are you more likely to get things done when you schedule your time for a working meeting?

Would you like help to kick-start your PIA amendment and review with other like-minded clinic managers and privacy officers?

PIA Amendment Workshops are available. Send a request to me and let's set up a workshop near you! You also get full access to the on-line course to support you after the workshop.

 

 

Not sure if the E-course is for you?

Jean will answer your questions in the free webinar, 

 

Prevent Big Fines (or Worse!) for Your Healthcare Practice

How to Plan a Privacy Impact Assessment for Your Healthcare Practice

with Jean L. Eaton
Replay Recorded Live

This webinar is for Privacy Officers, Clinic Managers, Practice Managers and anyone else responsible for doing a PIA.

You will learn what is getting in your way of getting your PIA done!

In this free webinar, you will learn:

  • 5 Manageable Steps of every PIA
  • 3 Biggest Myths about PIA’s that is preventing you from completing your PIA
  • Questions Privacy Officers, Clinic Managers, Practice Managers and Healthcare providers should ask about PIA’s but don’t
  • Biggest fears about doing a PIA and how you can kick it to the curb so that you can finally get it done

Join us for the webinar so that you can plan your PIA for your healthcare practice!

Sign me up for this FREE webinar

Get Free Access Now Arrow

Please provide your email address below and you will be re-directed to the webinar replay right away.

Check your email in-box to confirm your registration!


 Along with your webinar registration, you will also benefit from the occasional Privacy Nugget tips by email of similar privacy resources and articles that you can use right away!

 

Alberta, amendment, breach, employee training, ePIA, ePrivacy, Health Information Act, healthcare, HIA, PIA, PIA process, Practical Privacy Coach, Privacy Impact Assessment, privacy officer training, templates

How Do You Celebrate Your Receptionist?

Posted on May 7, 2018 by Jean Eaton in Blog

National Receptionists’ Day is celebrated annually on the second Wednesday of May. It is celebrated by organizations around the world, including the U.S., Canada, the U.K., Australia and New Zealand. National Receptionists’ Day was first celebrated in 1991 as a special day to recognize and appreciate the many contributions receptionists make to an organization.

The purpose of National Receptionists’ Day (Wednesday, May 9, 2018) is to:

  • Foster recognition of the importance of the receptionists role. They are usually the first person a customer or client meets when they visit a company.
  • Promote pride and professionalism amongst receptionists for the important role they play within an organisation.
  • Give receptionists an opportunity to share stories and link up with other colleagues.

The importance of the role played by receptionists is often overlooked. Instead, follow the advice from Nelson Scott, SEA Consulting:

“Take time on National Receptionists Day  to let these “Managers of First Impressions” know how much you depend on them. Your organization's receptionist is often the first person that clients meet when visiting your office or calling it on the telephone.”

Display This Poster In Your Practice

Display a poster in your clinic to let your patients know how much you appreciate your receptionists.

Here's a poster that you can download and use right away!

National Receptionist Day Poster

Share in Social Media

Here's another great – and easy! – way to create engaging content for your social media accounts and team building, too.

Create one – or more – social media posts recognizing the value that your receptionists bring to your team and patient care celebrating the receptionists that you have in your clinic.

What To Do Next

  1. Invite your staff to participate. Send an email, memo, or poster asking them to share what your Receptionist means to them.
  2. Create a social media post message. Here is a sample:

National Receptionists’ Day is May 9th! At ABC Clinic, we recognize and appreciate all of the amazing contributions our Receptionist makes. Thank you (NAME)!

National Receptionists’ Day is May 9th! What are you doing to celebrate your “Manager of First Impressions”? #NationalReceptionistsDay

  1. Add an image.
  2.  Pin your post to the top of your Facebook timeline.
  3. Create additional posts to highlight each staff members' thoughts on your Receptionist. Share photos of your Receptionist being celebrated.

 

Download the Receptionist Images Templates

Would you like more tips like this?

Members of Practice Management Success Membership enjoy access to Tips, tools, templates and training to help you start, grow, fix, or maintain your healthcare practice!

Membership is open to all healthcare practices of any size – physicians, optometrists, audiologists, dentists, chiropractors, physiotherapists, nurse practitioners, and more!

Member access to online resources when you need it along with networking and support from other clinic managers, practice managers, and healthcare providers in independent community practices – just like you!

Learn More About Practice Management Success
celebrate receptionist day, clinic management, facebook, healthcare, manager of first impressions, practice management, Practice Management Success, receptionist day, social media images, templates

How to Create Social Media Policies

Posted on October 27, 2015 by Jean Eaton in Blog

October is Cyber Security Awareness Month! Information Managers is celebrating by hosting our annual 15 Day Privacy Challenge. The 15 Day Privacy Challenge is a fun, no cost educational opportunity on privacy and security.

Challenge #12 Social Media

If you decide to use social media in your business, you need clear rules about who will authorize messages. You also need a strong social media policy to provide direction and education to your employees about what they can – and can't – say on-line.

Employees also need to understand that if they participate in social media, their personal comments are still potentially a reflection of the business they represent. See “Securing the Human” for more information for employees.

Even if you decide not to use social media in your business, you still need to be aware of cyber threats such as hackers, viruses, malware or a cybersecurity breach, and implement a formal cybersecurity plan and social media policy for employees.

Review your organization’s policy and procedure about Social Media. See SANS and our articles “What Should You Include in Your Social Media Policy?”  and “The Honest Spin Doctor” for sample policies.

We are proud to be a Champion of National Cyber Security Awareness Month.

#CyberAware #15DayPrivacyChallenge.

 

#15DayPrivacyChallenge, #CyberAware, Practical Privacy Coach, Social Media policies, templates

Signs, signs, everywhere signs

Posted on September 1, 2015 by Jean Eaton in Blog

Do you need medical signs for your clinic?

Every office has signs – signs to remind people to take off their shoes, ring the bell, present their identity card and even to sign in!

I have been in hundreds of healthcare offices and have seen some really great signs. We have selected over 20 signs needed in your clinic. Print and use these signs in your practice!

Download_PowerPoint_Here

 

 

What do you think makes a good sign?

  • Easy to read – simple words, clear print, big enough
  • Pictures sometimes help
  • One message per sign
  • Polite
  • Correct spelling
  • Humour (use carefully!)

What kind of signs do you use?  

Send us a picture and tell us what makes the sign good (or bad).  We'll share it on our site to come up with the Great Big Sample Book of Signs.

Tag us on Twitter and share your sign.

Here are some pictures of signs that we have received:

Great Big Book of Signs - Privacy  Great Big Book of Signs - Receptionist

Great Big Book of Signs - Appointment  Great Big Book of Signs - Walk in0

Great Big Book of Signs - Garbage Only  Great Big Book of Signs - Respectful Workplace

 

This sign was in a cafeteria run by volunteers.  I like it because it is positive, polite, and a pinch of humour.

Kindess

 

 

 

door signs for clinics, Great Big Book of Signs, healthcare, medical signs for clinics, practice management, privacy, templates

Email and Patients – is it right for your practice?

Posted on February 6, 2015 by Jean Eaton in Blog

Just because we use email daily to communicate doesn't mean that it is the best communication method between healthcare providers and patients.  The challenge is to get both the provider and the patient to appreciate the risk in e-mail exchanges.

Mary was looking forward to the course next week, “Ready to leave your job?”

Unfortunately, Mary used her work email address to register for the course.  Now she was getting emails at work about looking for a new job.  What if her boss or co-workers saw the emails?

Then, she thought, what if she had asked her doctor’s office to send her an email to remind her of her counseling appointments?

Sending personal information into cyberspace is like writing on the back of a postcard.  Anyone can see it!  It doesn’t need to have detailed personal information to be private or important to us.

Below is an outline for discussion that you can use to help you decide if using email with patients is the right choice for your practice.

What are the steps to use email with patients?

  1. EmailPlan.  Establish clear policies and procedures about when you will – and when you won’t – use email with patients in your practice.  The provider is responsible for disclosure of information and to ensure reasonable safeguards. On a case by case basis, one needs to determine what is reasonable. You need to balance the risk with the benefit of disclosing the health information. If you aren't prepared to put in the energy (and it takes effort!) to put in a comprehensive risk mitigation program, then you should not be using email to send health information or other sensitive information.

Remember- even a plain email confirming an appointment at a clinic can be sensitive if it seen by the wrong person at the wrong time!

 

  1. Educate.  Establish clear, consistent, easy to read and understand education to the patient about the risks of using email for sending health information. Even then, the healthcare provider, as the person of authority, still maintains the responsibility for the security of the information.

 

  1. Authorize.  The patient must provide their personal email address and authorize the use of email as a method of contact and the specific purpose that the email address may be used. This infers to me that the first contact with the patient cannot be by email.

Help patients understand their important role in maintaining their personal privacy.

Here is a sample authorization form that you can use:

Patient Authorization for E-Mail Communication SAMPLE

  • I would like to communicate by e-mail with my provider.
  • I have been given information guidelines about how to e-mail with my provider and have been given the opportunity to ask questions.
  • I will only use my personal e-mail address and personal devices to communicate with my provider (i.e. will not use work/school e-mail address or public computer as personal information could be viewed by others).
  • I will be responsible for maintaining any information regarding my care that I have saved onto my personal computer.
  • I understand that my email authorization and a copy of the e-mail guidelines I have received will be called my permanent medical record.
  • I agree to follow the guidelines for e-mail communication of my provider and will use e-mail for nonemergency purposes only.
  • E-mails containing transitory information (routine or short-term transactions, and contain little or no information of ongoing value, i.e. confirmation of appointments) will be securely deleted by the Clinic.
  • E-mail correspondence containing clinical or significant information will be entered into my permanent medical record by the provider.
  • I agree to inform my provider in writing if my e-mail address changes.
  • I understand that the Clinic will normally respond to email communications within ____ hours (or business days).  If I have not heard from the Clinic by this time, I will phone the Clinic.  This email communication may be read by someone that the provider has assigned to preview or respond to in his absence.

It is a challenge to get both the provider and the patient to appreciate the risk in e-mail exchanges and the public nature of the exchange. Walk carefully through this mine field if you go at all.

See our e-book, Can You Use Text Messaging With Your Patients for more tips, tools, and templates you can use right away!

email and patients, healthcare, Practical Privacy Coach, templates

When an employee does wrong after work

Posted on September 13, 2014 by Jean Eaton in Blog

Ray Rice was banned from playing football when he admitted to physically assaulting his fiancée. Big celebrity causes embarrassment to his employer in a professional sports (and entertainment) industry. What does this mean to healthcare practice managers? I learned today when I listened to CBC Radio show, The Current, that an employer has a responsibility to act when an employee does wrong on their own time.

Why should an employer be responsible for dealing with the private lives of their employees?

The off-duty misconduct of an employee can affect the reputation of the employer and may be contradictory to the employee's job. For example, if a healthcare provider is drunk and disorderly in public patients may not trust the care and treatment that they could expect to receive from the employee. The lack of respect and trust of the employee affects the reputation of the employer, too.

What role do employers have regarding domestic violence?

An employee who is a victim of domestic violence impacts the workplace in many ways. The mental health of the victim is compromised and negatively affects their job performance or productivity, also affecting the attitude and morale of their co-workers. The victim may be absent or late for work. The abuser can use the employee's workplace resources to harass or stalk their partner and risk the safety of all the employees and customers at the workplace.

When an employer becomes aware of actions (on or off the job) of an employee that might

  • cause risk to public safety, consumers, customers, other employees,
  • affect employee's ability to do their job, or
  • negatively impact the reputation of the employer

the employer has a responsibility to act.

The employer should implement IAC – investigate, assess the situation, make a conclusion. This could include employee termination for just cause, termination without cause, or other discipline. When necessary, the employer may need to notify police services as part of their public responsibilities.

Health and safety legislation in the workplace requires the employer to take every reasonable precaution to protect workers including protect from workplace harassment (including workplace violence and bullying) as well as hazardous substances and dangerous machinery and equipment.

Legislation requires employers to develop written policies addressing workplace violence and harassment; review policies at least once a year. Policies must include procedures to enable employees to report incidents, set out how the employer will investigate incidents and complaints and the employer must provide training on these policies.

If an employer does not properly address harassment in the workplace, or an employer becomes aware of an employee's off-hours personal actions that could affect the workplace and does not respond, this could be named a ‘poisoned workplace‘. Employees could claim they can no longer work due to their employer’s failure to prevent an abusive or unsafe workplace and take action against the employer.

Download the CBC’s ‘The Current’ podcast and discuss it with your healthcare practice management team. Are your policies up to date? Do your employees know how to make a complaint? Manage a complaint? Conduct an investigation?

Here are a few more resources to help you get started:

Government of Alberta, Human Services

Treasury Board Secretariat website for related tools and guides.

employee training, healthcare, Practice Management Mentor, templates, workplace harassment

Engaging Patients in an Electronic World

Posted on August 25, 2014 by Jean Eaton in Archive, Blog

Ontario Medical Group Management Association Conference

Landscape for Learning Muskoka 46th Annual Conference of the OMGMA September 24 to 26, 2014 Gravenhurst, Ontario

Email?  Patient portals?  Social media?  On-line marketing?

How does a medical practice decide which social media approach will best meet your business objectives and improve patient satisfaction?  Jean Eaton, your Practice Management Mentor, will help you make informed choices for your practice.

Practical decision making approach to help you clarify your ideal patient and business objectives.  We will  explore automated tools to engage your patients and introduce a format to assess risks and benefits so that you can make an informed choice about which approach is best for your business.

Jean Eaton, The Practice Management Mentor.  I believe that people working in health care want to provide good services and have a profitable business. They have a sense of what they need to do to get there – but sometimes need the confidence and the details and the resources to help them.

I help you with templates, user guides, real-life examples, networking, practical resources and mentoring. I give you the confidence to take care of the elephant in the room.

To register for the conference, see OMGMA website.  Are you going?  Tweet this!

 

 

healthcare, practice management, Practice Management Mentor, privacy speaker, social media, templates

Privacy Statements in Plain Language

Posted on March 10, 2014 by Jean Eaton in Blog

 In search of plain language

I spent a lot of years in school and assumed that multi-syllable words would earn extra marks.  Now I spend a lot of time trying to use ‘plain language' so that it is easier for people to read and understand what I write.

In a recent article from IAPP (International Association of Privacy Professionals), “Privacy Policies: How To Communicate Effectively with Consumers” the authors discuss the regulatory and judicial consequences to your business of failing to make sufficiently clear, accurate, and comprehensible privacy disclosures for on-line consents.  They also provide some great resources on how to improve your plain language skills.

Primary care practice managers and clinic managers are required by legislation and regulated professions standards to develop forms and notices to inform their patients and clients of what to expect at the clinic.  These documents usually have one of two main purposes:

  • inform our patients and client about how their information is being collected, what will be done with it and what their choices are.
  • inform our patients and clients about their care and treatment.

Each purpose is important – important enough for us to take the time and effort to make the documents easy to read and easy to understand.  Let's create a Privacy Statement poster that you can use and adapt for your practice.  First, we need some guidelines about plain language.

What is plain language?

PrivacyStatement

Document Management Tip: Privacy Statements in Plain Language

The objective of plain language is to write in simple conversational English at about an eighth grade reading level.  Here are some basic plain language guidelines that make documents easy to understand.  (A full discussion of tips for writing a plain language privacy policy can be found in Kinsella Media’s Plain Language Primer for Privacy Policies.)

  • Omit legal/technical jargon and limit defined terms,
  • Use positive language,
  • Avoid double negatives,
  • Use active voice,
  • Pare down sentences to one thought,
  • Omit wordy phrases (instead of “in order to” use “to”)
  • Use personal pronouns,
  • Keep the message personal by using question and answer format to explain common situations
  • Describe complex issues in “if this, then that” terms. For example; “If you have a question or complaint, then contact us here.”

Design the poster using a reader friendly format much like an advertisement.

  • Use simple, descriptive headers,
  • Fonts need to be large enough so the average person can easily read the notice. Twelve points or bigger using fonts like Verdana or Arial improves readability,
  • Emphasize key points by using bullets, underlining and/or italics,
  • Never use all CAPITAL LETTERS,
  • Use highlighting in moderation,
  • Use examples to describe practices or put the content into an easy-to-read chart

Download the Document Management Tip:  Privacy Statements in Plain Language

 Content in a Privacy Statement

List the objectives or main points of your statement.  For example,

  •  Your mission statement or goal.  This is the opening or introduction of the privacy statement.  Explain why this statement is important to the patient.
  • What types of personal information we collect about you,
  • How we use your personal information,
  • With whom we share your personal information,
  • To whom is your personal information disclosed,
  • How we protect your personal information,
  • Who you can contact if you have a complaint or want more information

Privacy Statement Poster Sample #1

Our Clinic respects the privacy rights of our patients and employees and is committed to protecting the personal information that we collect from you. We have adopted this Privacy Statement to guide how we collect, use and disclose the information you provide to us.

We will:

✔ only collect information required for your care and treatment

✔ give you access to your own records and, if requested, make copies of them at a reasonable cost

✔ only share your information with other health providers that they need to provide you with proper health care

✔ ask your permission to share your health information if required for other purposes unless I must provide it for legal reasons

✔ keep your information safe

✔ keep accurate records.

In the event our Clinic changes ownership or is closed, we will try to contact you.  We will tell you how you can get a copy of your information.  If you ask us, we will transfer your information to another health provider.

For more information, please talk to the Clinic Manager or Privacy Officer.

Privacy Statement Poster Sample #2

Our Clinic believes that the personal information that you provide to us is sensitive and important to you.  We will follow these principles to maintain the confidentiality and security of your information.

Principle 1 -We are accountable for the personal information that you give to us.

Principle 2 -Our Clinic will tell you why we collect your personal information, before the information is collected.

Principle 3 – Our Clinic will collect, use and may disclose personal information about you. You may withdraw consent at any time.

Principle 4 – Our Clinic will ask you for your personal information only when we need it to do our job to help you.

Principle 5 – Our Clinic will use or disclose your personal information only for the reasons that you provided it to us.

For more information, please talk to the Clinic Manager or Privacy Officer.

Privacy Statement Poster Sample #3

Our Promise to You

To help you, the Clinic needs to get information about you.  We will share your information only with those people you agree to.

We promise to: 

  • get only the information needed 
  • keep your information safe 
  • keep careful records 
  • ask for your “okay” to share your information 
  • let you read your own file and, if asked, make copies of them at a fair cost 
  •  only share your information with other people who are directly involved in your care and treatment

For more information, please talk to the Clinic Manager or Privacy Officer.

Using the Privacy Statement

The Privacy Statement should be made available to the patients in a way that would be reasonable to expect that the patient has an opportunity to read and understand or ask questions about the statement.  You could

  • frame the poster and hang it in the waiting room or examination rooms,
  • insert the poster into closed circuit TV monitors in the waiting room,
  • display the message into computer screen savers,
  • laminate the poster and use it as a cover page on the clipboard given to the patient when they are asked to complete forms at the clinic

Use more than one method to share the Privacy Statement.  This is a good strategy to ensure that each patient has the opportunity to read the poster on their first and subsequent visits to the clinic.

Conclusion

Revising your privacy statement into plain language helps the clinic review your own practices and often provides clarity and improvements.  An easily understood privacy statement helps to meet regulations and standards compliance of the clinic.  Perhaps most importantly, when the patient understands the privacy statement, the patient becomes actively involved in the process of collection, use, and disclosure of their personal information.  Using plain language may not be simple but it can help you improve your practice management.

 

What is the next notice, form, policy, or procedure in your practice that can benefit from a plain language revision? Send Jean your examples of your plain language privacy statements.  We will post a follow-up article with your comments and examples.

Other Similar Information Managers Resources

Tax Poster, Consent Disclosure for Tax Purposes Pro-active Privacy

Bibliography / Resources

Kinsella Media, LLC.  “Plain Language Primer for Privacy Policies”, http://www.kinsellamedia.com.  February 2014.

Wheatman, Shannon and Michelle Ghiselli.  “Privacy Policies: How To Communicate Effectively with Consumers”, https://www.privacyassociation.org/media/pdf/knowledge_center/ IAPP_KMPrivacyPaper_FINAL.pdf.  February 2014.

collection notices, health care, privacy, privacy statements, templates

Alberta’s Health Information Act (HIA) Amendment

Posted on October 3, 2013 by Jean Eaton in Blog

The Health Information Act (HIA) was amended  was approved by Orders in Council on September 3, 2013.

The amendment includes:

Naming  a non‑regional health authority Family Care Clinic approved by the Minister as a custodian. (HIA s2(1)(g)).

Disclosure of registration information – For the purposes of section 36(c) of the Act, a custodian may disclose individually identifying registration information about an individual without the consent of the individual

(a)    to an ambulance attendant or ambulance operator under the Emergency Health Services Act,

(b)    to the Minister of Health or Minister of Human Services for the purpose of administering the Aids to Daily Living Program, or

(c)    to the Minister responsible for the Seniors Benefit Act and the Seniors’ Property Tax Deferral Act for the purpose of administering those Acts.

Remember to update your policies and procedures!  See our Document Management Tip for a sample policy update that you can use to insert into your Health Information Management and Security Manual.

Alberta, Alberta HIA Amendment, amendment, custodian, Family Care Clinic, HIA, policies, templates
12

Search the site

What is the elephant in the room?

The Elephant in the Room Find out here...

Privacy Policy

"The thing that I liked about the 'Engage your patients using automated tools' webinar interview was ideas to have patients engaged in their own health care instead of us doing all the work, simply put. There were a few ideas about how to achieve this in the long run."

--Practice Management Nugget event, 'Engage your patients using automated tools' with Karol Clark

- Michelle from Wabasca

Register for Free On-line Privacy Breach Awareness Training!

Privacy Policy

Copyright 2022 Information Managers Ltd.

Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}