Privacy Officer Training

(1)

Introduction ... 3

Privacy in the News ... 3

A Privacy Officer and the Health Information Act ... 4

Privacy Officer Pre-Quiz ... 5

Privacy Officer Pre-Quiz – Answer Key ... 7

Module 1 – General Privacy Principals ... 9

Collection of Health Information... 9

Use of Health Information ... 9

Protection of Health Information ... 9

Access to Health Information ... 9

Disclosure of Health Information...10

Module 1 Summary ...10

Module 2 – Protecting Health Information ...11

Administrative Safeguards ...11

Technical Safeguards ...13

Module 2 Case Study ...15

Module 3 – Privacy Awareness ...16

Employees and Other Individuals ...16

Refreshing Privacy and Security Training during Employment ...17

Privacy during Employment Termination and Transition ...17

Organizations Providing Services Directly Related to Health Information (Information Managers) ...17

Organizations Providing Services not Directly Related to Health Information ...18

Module 4 – Ongoing Privacy Compliance ...21

Daily Activities ...21

Monthly Activities ...22

Annual Activities ...22

Module 5 – Privacy Point of Contact ...25

Contact with Staff ...25

(2)

Contact with Authorities ...26

(3)

Introduction

Welcome to Privacy Officer Training. This training will take you approximately 90 minutes to complete. You can complete this training module in several sessions and you can resume training where you left off each time you return.

The learning objectives of this training are to:

 Recognize privacy protection principles

 Review practical advice for privacy officers in clinics in Alberta

 Apply the principles in real-life scenarios

In summary, the goal of this training is to help you to educate your staff about the importance of privacy at your clinic and minimize the risk of your patients' privacy being violated.

Privacy in the News

Protecting the privacy of individuals seeking medical care is paramount for your organization. Physicians and other custodians are responsible for compliance with law, and it is your role as a privacy officer to make sure that your clinic embeds appropriate privacy practices in staff

behaviour and organizational culture.

Health information is often sensitive. Any type of incident with this information raises questions from affected individuals, the media, the authorities in your jurisdiction and the public.

The following news clips illustrate cases of improper collection, use, disclosure or disposal of health information.

Privacy commissioner delivers warning to health professionals

Calgary Herald, August 26, 2010

http://blogs.calgaryherald.com/2010/08/26/privacy-commissioner-delivers-warning-to-health-professionals/

Commissioner Work says he expects health services providers to know the rules and obey them, and says "We will prosecute anyone we catch surfing health records." The last person prosecuted for improperly accessing health records was fined $10,000.

Stolen Alta. laptops held health data

CBC News, December 9, 2010

http://www.cbc.ca/news/canada/calgary/story/2010/12/09/edmonton-privacy-commissioner-laptop-theft.html

Seven laptops or digital devices with unencrypted health, employee and financial information have been lost or stolen in Alberta in the past month, prompting disbelief Thursday from Alberta Privacy Commissioner Frank Work. "It just makes me crazy," Work said. "I think that's just utterly irresponsible now in this day and age."

(4)

A Privacy Officer and the Health Information Act

A key step in protecting privacy in any clinic is the appointment of a designated privacy officer to oversee the clinic's compliance with the Health Information Act (HIA) which is a requirement under the HIA.

A privacy officer can be a custodian (a physician) from the clinic or a responsible affiliate (an employee of the clinic) for example, a clinic manager. Under Alberta legislation, custodians are responsible for the actions of their affiliates. Therefore, it is important you understand the critical role you have to play as a privacy officer.

The training module groups the duties of a privacy officer into four broad categories: a. Developing privacy policies and procedures and keeping them up to date

b. Ensuring those working at your clinic and with your clinic are aware of their privacy obligations

c. Monitoring your clinic's ongoing compliance with the HIA

d. Acting as a primary point of contact for staff and third parties such as patients, vendors and authorities

This training is structured to:

 Allow you to assess your initial knowledge of privacy by taking a brief quiz

 Present privacy concepts and resources

 Illustrate the concepts through short real-life case studies

A Privacy Officer pre-quiz is provided on page 5 to determine your current level of privacy knowledge.

(5)

Privacy Officer Pre-Quiz

1. In the context of your clinic, privacy is best defined as:

a. An individual's right to not share any information with their physician

b. An individual's right to have their physician not disclose any information to anyone c. An individual's right to determine what information about themselves may be

collected, used and disclosed

2. The use of strong passwords and encryption of data is sufficient to protect privacy: a. True

b. False

3. For any of your clinic’s patients, health Information includes: a. Their name, phone number and email address

b. Their marital status and immigrant status c. Their diagnosis and the drugs provided to them

d. Their billing information (method of payment, amount owing) and their signature e. All of the above

4. Patients can request access to their own health information: a. True

b. False

5. As a privacy officer, I am responsible for:

a. Staff adherence to the HIA and internal policies

b. Periodically assessing privacy practices within my organization

c. Documenting policies and procedures for health information management d. Acting as a primary point of contact on privacy questions

e. All of the above

6. Three types of safeguards can help protect health information. They are generally considered to be:

(6)

b. Administrative, physical and technical safeguards c. Computer, network and Internet safeguards

7. You were just made aware that one of your clinic staff sent a fax containing individually identifying health information to an auto body shop. Check all the actions you should take from the list below:

a. Call the auto body shop and tell them to destroy the fax

b. Retrieve the fax (in person, or send someone to get it), notify the patient(s) whose

information was faxed, and remind your staff of the importance of checking fax numbers are entered correctly

c. Discuss fax transmission guidelines in your upcoming staff meeting d. Do nothing

8. One of your clinic staff used Netcare to view their daughter’s lab results. This is an acceptable use of Netcare, since she is the child’s parent and legal guardian:

a. True b. False

9. Your laptop contains health information about some of your clinic’s patients. A Windows™ session password is sufficient protection for this information:

10. Under the HIA, when it comes to health information, clinics are responsible for the actions of their third-party vendors and contractors such as their EMR provider and shredding or transcription companies.

(7)

Privacy Officer Pre-Quiz – Answer Key

1. In the context of your clinic, privacy is best defined as: The answer is C.

Privacy is best defined as an individual's right to decide how information about them is collected, stored, used or disclosed. Privacy legislation also includes exceptions to this principle.

2. The use of strong passwords and encryption of data is sufficient to protect privacy: The answer is B.

Protecting information is important, but it is only one part of achieving privacy compliance. Other aspects to consider are authorized collection, uses and disclosure of information.

3. For any of your clinic’s patients, health Information includes: The answer is E.

All of these pieces of information are considered health information under the Alberta Health

Information Act and their collection, use or disclosure is subject to this act.

4. Patients can request access to their own health information: The answer is A.

Patients have a general right to receive a copy of any information in their medical record, unless the physician determines there is a legitimate reason to not give the individual access to all information.

5. As a privacy officer, I am responsible for: The answer is E.

The privacy officer should be the go-to person at the clinic, and the role encompasses all the activities listed.

6. Three types of safeguards can help protect health information. They are generally considered to be:

The answer is B.

Administrative safeguards are procedures that lay out what individuals should or should not do when it comes to health information. Physical safeguards include doors, locks and alarm systems. Technical safeguards include passwords, encryption and antivirus programs.

7. You were just made aware that one of your clinic staff sent a fax containing individually identifying health information to an auto body shop. Check all the actions you should take from the list below:

The answer is B.

Fax transmission is considered to have a number of inherent risks. In the case of a misdirected fax, physicians must take immediate measures to retrieve the fax, notify the affected individuals and make their staff aware of the issue to avoid reoccurrence.

(8)

8. One of your clinic staff used Netcare to view their daughter’s lab results. This is an acceptable use of Netcare, since she is the child’s parent and legal guardian: The answer is B.

Being related to someone does not allow access to their health record. Medical records can and must only be accessed in the course of providing treatment and care to an individual, or if instructed to do so by a custodian such as a physician.

9. Your laptop contains health information about some of your clinic’s patients. A Windows™ session password is sufficient protection for this information: The answer is B.

A session password provides little to no protection of the information stored on a laptop and seriously puts this information at risk of unauthorized disclosure. Furthermore, mobile devices such as laptops, phones or memory sticks should not routinely be used to store health

information, unless absolutely necessary, in which case strong encryption and passwords must be used.

10. Under the HIA, when it comes to health information, clinics are responsible for the actions of their third-party vendors and contractors such as their EMR provider and shredding or transcription companies.

The answer is A.

The HIA identifies all individuals and organizations reporting to or providing a service to a physician as "affiliates." Physicians are responsible for ensuring their affiliates comply with the HIA at all times.

(9)

Module 1 – General Privacy Principals

The Health Information Act (HIA) outlines overarching principles to establish a comprehensive information sharing and protection framework and to balance the competing needs of individuals and organizations when it comes to health information. This module presents the general

principles in the HIA. For details and provisions specifically applicable to your situation, you are strongly encouraged to review the comprehensive guide.

Collection of Health Information

The collection of health information can only be done in accordance with the principles outlined in the HIA:

 Collect only the information needed

 Collect directly from the individual unless indirect collection is authorized

 Make reasonable efforts to ensure the information collected is accurate

 Inform the individual why this information is needed and who may receive it

Use of Health Information

Health information protected under the HIA can only be used as authorized under the act. In general, health information can be used to:

 Provide a health service

 Determine or verify someone's eligibility to receive a health service

Health information may also be used by a number of other entities identified in the HIA. Refer to section 27 of the HIA for a detailed list of those entities and acceptable uses.

Protection of Health Information

Under the HIA, custodians have a duty to protect the health information in their custody or under their control. This means that the physician's responsibility extends to the actions of affiliates if those affiliates are exposed to health information. Examples of affiliates include:

 Clinic employees

 Subcontractors

 Vendors (for example, EMR vendor, shredding company or transcription services company)

Certain affiliates who provide services directly connected to health information such as IT, shredding or transcription companies are considered information managers and require the clinic to enter into an Information Manager Agreement with those organizations.

A number of safeguards must be put in place to protect health information. For detailed information on those safeguards, refer to the recommendations outlined in the document from the OIPC entitled A Practical Guide to the Health Information Act.

Access to Health Information

Individuals have a legal right to see or obtain copies of their personal health information without being asked why.

(10)

 Custodians have a duty to help individuals with their requests. Custodians must explain abbreviations and terms to individuals.

 In some circumstances, custodians can refuse access, for example when access may cause harm.

 Custodians have to respond to access requests within 30 days.

 If an individual disagrees with a custodian's decision, the individual can appeal to the Information and Privacy Commissioner.

Custodians can charge a fee for access, according to the fee schedule in the regulations.

Disclosure of Health Information

Custodians can disclose an individual's health information with that individual's consent.

 Custodians must make sure they are disclosing information to the correct individual.

 Custodians must be reasonably sure the information is accurate and complete.

For certain purposes, custodians can disclose health information without consent to a number of other individuals or organizations, depending on the purpose and the specific situation. This is the subject of section 35 of the HIA.

You are required to keep a log of the disclosure made to other organizations and individuals. The intent of the HIA is to ensure that for all health information the clinic discloses to third parties there is a written record of the date of the disclosure, its content and recipient, and whether a written consent was received from the patient or an entry was made in a disclosure log.

Module 1 Summary

 Health information should only be collected, used, disclosed or disposed of according to the provisions in the HIA.

 Physicians and possibly other health professionals at your clinic bear the primary responsibility of complying with the HIA and making sure those exposed to health information comply as well.

 As a clinic privacy officer, you have an important role to play to achieve optimal compliance.

(11)

Module 2 – Protecting Health Information

The Health Information Act (HIA) establishes the custodians' duty to protect health information and although it does not make any particular recommendations on how best to do this, it does require that you document the physical, technical and administrative safeguards in place to protect health information under your responsibility.

Having multiple safeguards in place for each type of information allows for several layers of security to protect health information against unauthorized access, use or disclosure. This module provides practical information about the different types of safeguards.

There are three types of safeguards used in conjunction to protect health information:

 Administrative

 Physical

 Technical

Administrative Safeguards

Administrative safeguards can be broadly defined as the safeguards that govern the conduct of clinic employees and other entities when it comes to health information. Your clinic's policies and procedures are the cornerstone of administrative safeguards and aim at ensuring that the other safeguards – physical and technical – are adequately relied upon and effective.

Internal misuse is considered the biggest risk for privacy. Therefore, it is critically important that you make sure your clinic has administrative safeguards in place. Consideration must be given to the following seven areas:

1. People 2. Use of computers 3. Use of space 4. Verbal communication 5. Telecommunication 6. Record keeping 7. Patient charts People

 Require all staff, volunteers or contractors to sign oaths of confidentiality

 Have service providers sign Information Manager Agreements where applicable (see next module for more information on these required agreements)

 Require all new staff to complete a criminal background check

 List keys, alarm codes and other authentication devices given to each individual

 Permit access only to the resources people need to do their job and nothing more

 Require that all clinic employees and contractors wear identification badges

 Require that clinic staff verify the identity and credentials of courier services used for the transportation of health information

(12)

Use of Computers

 Information displayed on screens must be kept from public view

 Unattended computers and workstations should be locked or logged off

 Mandate a minimum standard for passwords (for example, contain letters and numbers, special characters and a mix of upper and lower case letters)

 Approve or have the lead physician approve new requests for electronic medical record (EMR) access

 Institute a policy prohibiting clinic personnel from downloading and installing software on clinic computers

 Review the EMR audit log on a regular basis and investigate anything you suspect could be a misuse

Verbal Communication

 Music is played in the waiting area or a television is playing to minimize people overhearing conversation at the reception desk

 Create and enforce a policy not to disclose patient diagnostic, treatment and care information over the phone, even to an individual who claims to be the patient

Telecommunication

 Pre-programmed numbers are used to send fax transmissions and are reviewed at

regular intervals to ensure they are still accurate

 All fax transmissions are sent with a cover sheet noting that health information transmitted via fax is being sent to a secure fax machine and requesting confirmation that the information was received

Record Keeping

 Clinic records, both on-site and off-site, are held and stored in an organized, safe and secure manner

 Patient information is not left unattended in areas to which the public has access, including on desks that are in view of the public

 Paper-copy patient charts are labelled using a code instead of a patient name

Handling of Patient Charts

 Patient charts are not to be removed from the building premises, regardless of their format (electronic or hard copy)

 When health information is sent to another location, it is placed in a sealed envelope, marked as confidential and directed to the attention of the authorized recipient

 Patient charts that are left outside physician examining rooms are turned so the patient's name is not visible

Plans for Service Interruption

It is recommended that you develop a business continuity plan for your clinic in order to minimize disruption to operations in case of an unwanted event.

(13)

 Preventive measures - Controls aimed at preventing an event from occurring, for

example, the encryption of data and communications, staff awareness of the importance of protecting privacy or the installation of sprinklers.

 Detective measures - Controls aimed at detecting or discovering unwanted events, for

example, the review of EMR audit logs or use of wireless access points, or the presence of smoke detectors or a security alarm.

 Corrective measures - Controls aimed at correcting or restoring normal operations after

a disaster or an event, for example, having recent data backup files or knowing what to do if there is a breach of the HIA.

Technical Safeguards

Technical safeguards refer to the technology and the policies and procedures for its use that protect and control access to electronic health information. Your clinic will benefit from

numerous security features that come with your EMR. However, you and your EMR vendor are jointly responsible to ensure that health information in the EMR is protected.

Technical Safeguards in EMRs

Each user should be uniquely identified with their login credentials. There are three ways to manage user accounts and privileges; your clinic can implement one, two or all of these access controls.

1. User-based access rights - certain users are authorized to perform certain actions 2. Role-based access rights - users are attached to a role and that role is authorized to

perform certain actions

3. Context-based access rights - attention is also given to the source of the request (for example, whether it comes from within the clinic's network or not)

EMRs have audit log features. These keep track of all activity inside the EMR, such as time and date, user, group, information viewed or when updated. It is a good practice to run a report from these audit logs on a periodic basis. As a privacy officer, you should know how to run these reports. If you require assistance, contact your EMR provider.

EMR features allow you to make a note of a patient's particular request, also called an

expressed wish. Any subsequent access to that patient's record will cause the user accessing the record to be notified of this patient's expressed wish.

Similarly, EMRs allow you to mask or unmask certain data, or anonymize data, which removes or replaces patient identifiers (such as name, address or other) so that the information is no longer individually identifying.

Mechanisms that log users out of their session should be used along with a strong password. Your EMR provider will train you and can offer expert advice on how to use these security features in your clinic.

General Technical Safeguards in an EMR Environment

 Antivirus protection and firewalls should be up-to-date and correctly configured

 Automatic backups of the data not residing in the EMR should be taken regularly to minimize disruption to your clinic's activities in case of systems failure. Examples of such data include administrative documents and templates, accounting information and disclosure log.

(14)

 Wireless connections should be encrypted to avoid interception of data and restrict access to the clinic's network

As a privacy officer, one of your responsibilities is to educate clinic staff and vendors about the proper use of the technical safeguards available to them and make sure they do not take shortcuts.

Retention and Destruction of Health Information

The retention of records is an easily overlooked but critical aspect of proper management of health information. Custodians of records are subject to medico-legal requirements and must implement proper information management practices. It is important that you know and document:

 Where all records are stored (both for active and inactive patients)

 What safeguards are in place to protect those records

 How records can be retrieved (in particular if you have contracted a storage company) Similarly, you should have a policy in place for records of health information that are no longer required. It is recommended that physicians at your clinic follow the records retention policies established by the College of Physicians & Surgeons of Alberta which suggest that records be retained for:

 A period of 10 years after the last patient encounter

 For patients under 16 years of age, 2 years past the age of majority or 10 years (whichever is longer)

The required methods of destruction are:

 Shredding of paper records

 Secure wiping of the data or destruction of the media for electronic information Destruction of information must be documented, whether it is done by the privacy officer or a third-party service provider, so you can go back to this log if needed in the future and know which records where destructed and when.

(15)

Module 2 Case Study

A clinic employee had to come back to the clinic after picking up her teenage son from school and she approached the clinic manager with two questions.

Her son had noticed old computers in the storage room. Since all the patient records had been copied from them and transferred to a new computer system, these computers were no longer being used. She asked if he could take the computers to the eco centre as part of his school recycling project. She also asked if he could have the password to connect to the clinic's

wireless network on his iPod™ while he waited for her to finish work. Choose the best course of action for this particular situation:

1. Give her the password, but take the computers to the eco centre yourself 2. Give her the password to the wireless

3. Give her son the password and let him take the computers to the recycling station 4. Say no to both requests and provide an explanation

The answer is 4. Say no to both requests and provide an explanation. The requests raise the following issues:

 Risk of data exposure on older hard drives

 Risk of disclosure of health information

 Wireless network and Internet use policy

 Staff understanding of privacy policies and procedures

How to Best Address these Issues

1. There is a significant risk of data exposure on the older hard drives if they end up in the wrong hands. Recycling does not mean the devices will be destroyed or dismantled. They could be refurbished locally or sent overseas for processing. Once all measures have been taken to properly migrate health information stored on an electronic storage medium, your clinic is expected to securely dispose of older media. A number of service providers offer destruction services, and where not possible or practically feasible, data can be securely erased so that it cannot be recovered even with advanced computer forensics knowledge.

2. Your clinic should have a policy in place to control access to its wireless network and enforce the rules, including to only add work-related devices. Doing otherwise provides more entry points to your clinic's network which increases vulnerability for misuse of the clinic network. Make sure to use a strong password for your wireless network and keep an up-to-date list of devices using the network.

3. The clinic employee seems to be unclear about appropriate use of the Internet at your clinic. This is usually addressed in the clinic policies and procedures and prescribing appropriate uses of the Internet is left to your discretion. It is recommended that you limit Internet use to what is necessary to save bandwidth, particularly when your EMR has to connect to an offsite data centre to retrieve patient data.

Module 2 Summary

There are a number of safeguards in place to protect health information under your responsibility. Your clinic's physicians and staff are the cornerstone of health information protection and should be the primary focus of your efforts as a privacy officer.

(16)

Module 3 – Privacy Awareness

In order to operate, your clinic relies on the services provided by a number of individuals and organizations. All of them are affiliates of your clinic's custodians and the obligation you have to protect health information extends to them. In order to adequately protect health information, the

Health Information Act (HIA) requires you to ensure that those affiliates are aware of the policies and procedures in effect at your clinic and that they comply.

Some individuals will be working as employees, others as volunteers or under specific contract arrangements. Similarly, a number of organizations will provide services, either on a regular basis, such as transcription companies or payment processing companies, or only occasionally, such as shredding companies or information technology services providers.

This module outlines a number of measures you can take with regards to three types of affiliates:

1. Individuals working at the clinic as employees or volunteers

2. Organizations that provide services directly related to health information, such as your EMR vendor, shredding companies, IT services or transcription service companies. Under the HIA, these direct service providers are considered information managers for your clinic and your clinic is required to sign Information Manager Agreements with them.

3. Organizations that provide services not directly related to health information, such as alarm and security companies or janitorial services

Employees and Other Individuals

Employees need to be aware of the clinic's health information policy and procedures as they apply to the employee, who the clinic resources are and the resources' responsibilities. Resources need to be aware of the clinic's health information policy and procedures as they apply to the resource.

This includes clinic staff, volunteers and other individuals contracted by the clinic, as well as the physicians themselves. Privacy and security is best addressed upon hiring (orientation) and refreshed periodically during employment and upon termination.

Privacy Orientation at Hiring

When you hire a new person to work at your clinic, it is important to clearly communicate with them what your clinic does to protect health information. Use a checklist to document the following aspects of privacy orientation:

 Confidentiality oath

 Main clinic door key

 Other keys (if applicable)

 Alarm access code (if applicable)

 Netcare Access FOB

 Network computer system user account

 Electronic medical record (EMR) user account

(17)

individual gives them the opportunity to ask questions and helps ensure they know who to contact if they need advice about privacy in the future.

Refreshing Privacy and Security Training during Employment

After an extended period of employment, it is common for clinic staff, volunteers and others to tend to forget privacy policies and procedures and slip into poor habits. Similar to many other organizational initiatives, creating and maintaining a culture that protects privacy takes time and can be aided by periodically reminding all individuals they are responsible for:

 Protecting the confidentiality of any health information they have access to through the performance of their job duties.

 Collecting, using and disclosing health information only in the performance of their job duties.

 Reading and signing off on privacy and security policies and procedures.

 Reporting privacy breaches or complex cases relating to information disclosure to the privacy officer.

The next section of this training module provides more detailed information on activities you can periodically conduct to ensure staff consistently comply with privacy policies and procedures.

Privacy during Employment Termination and Transition

Whenever an employee, volunteer or other resource is terminated, there are exit procedures regarding privacy to consider. There are also aspects of information transfer to consider if a transition between two individuals in a role is to occur.

 Ensure that control items, including identification badges, keys, access cards, fobs, security tokens, perimeter security alarm passwords and computer system passwords have been returned, cancelled or deleted

 Train the person taking on the position about privacy policies and procedures yourself, before letting them be trained specifically about the work they will be doing at the clinic

 Remind departing staff of their continued obligation to maintain confidentiality of the health information they have been exposed to while working at your clinic, even after termination of employment

Organizations Providing Services Directly Related to Health Information

(Information Managers)

An information manager is a person or organization that provides services to your clinic directly related to health information. This includes:

 Your EMR provider

 Off-site backup service company

 Billing submission or third-party transcription service

 Shredding company or any entity that would encode or modify health information The HIA requires that you treat these service providers differently than other organizations because of the direct exposure they will have to health information. One of the intents of the HIA is to make sure that patient privacy is not at risk when custodians contract service providers and give them access to health information.

The mandatory requirements listed below ensure your information managers comply with the law and avoid costly mistakes.

(18)

You must enter into a specific Information Manager Agreement with each of your service providers who qualifies as an information manager. This agreement must address the following aspects:

1. Objectives and principles of the agreement, including services to be performed

2. Authority of information manager to collect, use or disclose health information and which type(s) of health information

3. Information manager's response and process to requests to access, correct or amend health information

4. Information manager's procedure to handle expressed wishes of individuals 5. Policies and procedures of the Information manager to protect, manage, return or

destroy health information

6. Sanctions that can be imposed on the information manager if they fail to protect health information

7. Termination of the agreement

These requirements apply even more so if the organization is located outside of Alberta. Even though legislation in the other party's jurisdiction will differ, as a clinic located in Alberta, you are required under the HIA to ensure that adequate safeguards are in place in your dealings with organizations located outside of Alberta. Your role as a privacy officer is to make sure that, at all times, there is an agreement in place with all of your clinic's information managers and that these agreement are enforced.

Organizations Providing Services not Directly Related to Health Information

Companies, individuals or other organizations that provide services not directly related to health information, such as alarm and security companies or janitorial services, do not require an Information Manager Agreement under the HIA. However, the possibility exists that

individuals providing services at your clinic might be exposed to health information and the following recommendations are meant to mitigate associated risks.

Privacy Orientation at Hiring

When you contract an organization or individual to offer a service for your clinic, and it can be expected they will have short-term or potential access to health information, you must ensure that they are aware they are subject to your clinic's privacy policies and procedures.

All contractors and their employees who have exposure to and use clinic information assets and systems shall sign a confidentiality (non-disclosure) agreement. This agreement will include specific information security provisions for the contractor, or will bind the contractor to the clinic's information security policies and procedures. Contractors will be provided with a copy of the clinic's privacy policies and procedures and will be asked to sign a declaration that they have received these documents.

Any related third-party information security and privacy policies should be made available to you upon request, including updates or revisions that occur after execution of the contract.

It is important that you monitor the compliance of vendors with your clinic's privacy policies and procedures, and in particular, that you:

 Ensure they respect their obligation to confidentiality by not inappropriately accessing, using or disclosing health information.

 Remind those individuals who have keys to the building to properly lock doors upon leaving the premises and to activate the alarm system if there is one.

(19)

Every time a contract is terminated, it is important that you:

 Ensure control items, including identification badges, keys, access cards, fobs, perimeter security alarm passwords, computer system passwords, have been returned, cancelled or deleted as applicable for the particular individual and organization

 Remind contractors on termination, and require from vendors to remind their employees on termination, of their continued obligation to maintain confidentiality of the health information they have been exposed to while working at your clinic

 Ensure all clinic information assets, including hardware, system documentation and health information are either returned to you, or destroyed (with a certificate proving destruction, by whom and when) in accordance with contract provisions reflecting records retention and data management policy

Module 3 Case Study

A clinic decided two days ago to use the services of a billing company and their representative is expected to come today to install their program and provide initial training. As the privacy officer exits the staff room and walks past the reception area, she overhears a conversation at the reception desk in which the receptionist welcomes someone to the clinic. The visitor

identifies himself as Vick and says that he is there to install and configure the billing system. He states he has an appointment with a physician and adds that it would be helpful if a few patient files were on hand to help make his instructions easier to follow during the training.

The receptionist hands over a few patient files and points the visitor in the direction of the physician's office. The visitor proceeds past the exam rooms, into the physician's office. Choose the best course of action for this particular situation:

A. Step in, confirm that this vendor has a contract AND a signed Information Manager Agreement, walk this person to the doctor's office

B. Address this in your next staff privacy training session

C. Step in, confirm that this vendor has a contract and a signed Information Manager Agreement, return the patient records to the receptionist, walk the person to the doctor's office and address this situation in the next staff privacy training session

D. Go back to work

The answer is C. Step in, confirm that this vendor has a contract and a signed Information Manager Agreement, return the patient records to the receptionist, walk the person to the doctor's office and address this situation in the next staff privacy training session. The situation raises the following issues:

 The need to verify individuals' identities before givig access to restricted areas of the clinic or to systems containing health information

 The requirement for an Information Manager Agreement

 The need for supervision of visitors at the clinic, in particular if they go past exam rooms

 Inappropriate use of patient records for training

1. The identity of individuals visiting the clinic claiming to be associated with a particular vendor must be confirmed and their access to the clinic areas controlled. Instruct your staff to verify the identity of individuals, and require visitors to be accompanied while at the clinic.

(20)

2. Your clinic is obligated to take a number of measures with vendors to make sure the privacy of patients is protected and to be compliant with the HIA. In this scenario, because the vendor will have direct access to health information, the situation requires them to sign an Information Manager Agreement with the clinic. Before this agreement is in place, this vendor cannot be given access to health information.

3. It is not recommended to use actual patient records for training. You should always use dummy records in these cases.

Module 3 Summary

Human error has been consistently rated as the most common cause for privacy breaches, therefore, it is important to establish and maintain relationships with the various stakeholders that contribute to your clinic's operations:

 Physicians

 Staff

 Contractors and information managers

 Volunteers and others

Ensure these stakeholders know who you are and constantly remind them of their obligations as well as the resources available to them to meet requirements of the HIA.

(21)

Module 4 – Ongoing Privacy Compliance

As a clinic privacy officer, one of the important responsibilities you have is to ensure your clinic complies with the Health Information Act (HIA) on a continuous basis. This module addresses compliance activities and includes information about:

 Developing and offering tools to make compliance easy

 Embedding privacy attitudes and behaviours into the organizational culture so that privacy is not an afterthought

 Implementing role-based, hands-on procedures

The activities described in this module may be delegated to other clinic staff or third parties, depending on how operations are run in your organization. In this case, it is your responsibility to ensure these tasks are properly and consistently completed.

Daily Activities

Upon Arriving

 Ensure point-of-sale debit and credit card receipts are securely stored and kept out of public sight and reach (these belong to registration information, which in turn is a subset of health information).

 Ensure computer monitors in reception areas are positioned away from public sight to prevent unauthorized viewing of patient information.

 Ensure that transient records that may contain health information are placed out of public sight and reach.

 Ensure music is playing overhead in patient waiting area.

During the Day

 If a representative from a vendor visits, confirm identification and proof they are affiliated with the particular vendor. Ensure required agreements are in place and that access to areas of the clinic is appropriately limited.

 Ensure new staff members review clinic privacy and security policies and procedures and sign an oath of confidentiality on their first day.

 Ensure new staff members obtain proper approvals before creating and assigning unique user IDs to enable them to access the clinic computer network and EMR.

 Run a scan of the wireless network to ensure there are no unauthorized connections.

Before Leaving

 Conduct complete back up of clinic administrative data that are stored outside your clinic's EMR, such as payroll software and files, policies and procedures, employee checklists, agreements with third parties, document templates and the clinic's privacy impact assessment. This backup can be done by copying all data onto an encrypted external hard drive.

 Review and confirm the back up of clinic administrative data is successful.

 Ensure all users have logged off workstations before leaving the clinic.

 If a server is maintained within the clinic, review and confirm the EMR back up is successful and complete.

 Turn on the perimeter security alarm before leaving the clinic.

(22)

Monthly Activities

Personnel

 Provide privacy and security training for new staff

 Review user IDs in EMR and verify user IDs are only assigned and active for current staff

 Review user IDs that access the clinic network and verify user IDs are only assigned and active for current staff

 Review user passcode assignment for perimeter alarm system and verify passcodes are only assigned and active for current staff

Activity Logs

 Review audit logs in EMR to check activity and EMR use by clinic staff

 Review audit logs in Netcare to check activity and Netcare use by clinic staff

 Review Internet use logs on clinic computer to ensure clinic staff are adhering to clinic's Internet use policy

 Review disclosure log for consistent use by staff if not managed centrally by yourself

Check Software Updates

 Review and update security and access points to stay up-to-date with changes in technology

 Ensure virus software is up-to-date on all computers

 Ensure all servers within clinic are updated with latest patch

Run Backups

If server is maintained in the clinic:

 Store one copy of monthly backup offsite on encrypted media

 Test one monthly backup of EMR system to ensure backup was successful

 Check to ensure the uninterrupted power supply (UPS) is running normally Regardless of the location of your server, you should store one copy of the clinic's administrative data backup offsite on encrypted media.

Stay Current with Privacy Issues

 Check the Office of Information and Privacy Commissioner (OIPC) of Alberta website for new orders and investigation reports which present real-life cases and remediation measures that could be applicable to your clinic

Annual Activities

Update Clinic Policies

Review privacy and security policies to ensure they are up-to-date with changes in:

 Clinic practices and procedures

 Applicable legislation (HIA as well as other acts)

(23)

 Provide privacy and security refresher training to clinic staff, students, volunteers and contractors.

 Discuss with your staff situations that have been encountered at the clinic, actions taken at the time and future best approaches

Review Compliance

 Require vendors to review clinic privacy and security policies and procedures

 Require affiliates to review and sign an Oath of Confidentiality

 Review Vendor Non-Disclosure Agreements and/or Information Manager Agreements

that are in place with contractors

Prepare for Next Year

 Update the destruction log by documenting which records were destroyed and who was

present to confirm the destruction

 Review and update inventory of wireless devices and other hardware peripherals connected to clinic's network

 Review clinic activity for upcoming year and determine if the clinic needs to update the Organizational Management Privacy Impact Assessment or submit a project-specific privacy impact assessment

 Look for privacy-related sessions at professional conferences you may attend

The OIPC document A Practical Guide to the Health Information Act provides guidance towards achieving compliance with the HIA, as well as real-life applications of HIA rules.

Module 4 Case Study

Upon returning from vacation, a privacy officer received a voicemail message left by a nurse who started working at the clinic while the privacy officer was away.

The new nurse indicated that she had been at the clinic for one week and had only received a brief orientation that left her with a few questions. The administration account for the clinic EMR would not allow her to view all patient records and attempts at changing the password failed. Specifically, she was trying to access her cousin's record as she was asked to check if the lab results had arrived. The nurse went on to state that her cousin and her husband had been trying to have a baby for some time and she hoped the lab results were positive.

Choose the best course of action for this particular situation:

A. Change account settings so the nurse can see the information she needs B. Call her cousin to give her the good news

C. Fire the nurse for inappropriate professional conduct and misuse of health information system

D. Give the nurse a copy of your clinic privacy policies and discuss issues associated with her request

The answer is D. Give her a copy of your clinic privacy policies and discuss the issues associated with her request. The issues presented in this case are:

 A lack of a replacement privacy officer to address privacy orientation and training

(24)

 Health information should only be collected, accessed, used and disclosed for an authorized purpose

 Health information should be kept in confidence and not disclosed over the phone

How to Best Address these Issues:

1. Privacy officers should consider making plans to have someone assume the role when they are absent in order to avoid potential privacy issues.

2. No one should be using a generic account or changing passwords to weak ones. As a part of privacy orientation, go through the new hire checklist to ensure new recruits have an access specific account added to the EMR. Also, follow up that keys and other security items have been addressed. Include information in your training that addresses choosing strong passwords.

3. No one can collect, use, access or disclose health information other than to achieve an intended purpose regarding patient care at the clinic. As an employee of the clinic, the nurse should only use health information systems for job-related purposes, and not for any other reasons, even to check her own record or those of relatives. This also applies to use of external health information systems such as Alberta Netcare.

4. Adequate training is key to good privacy practices. Have the nurse review the clinic's policies and procedures and invite questions. This situation is one you could use as a basis or source of inspiration for a future training session.

Module 4 Summary

 The activities proposed in this module are a starting point to help privacy officers develop and manage privacy and security tasks within their clinic.

 As guiding principles, try to develop and offer tools to make compliance easy, to embed privacy attitudes and behaviours into the organizational culture and to implement role-based, hands-on procedures.

(25)

Module 5 – Privacy Point of Contact

One of the most important roles of a privacy officer is to act as a primary point of contact for questions on information access, privacy protection and compliance with the Health Information Act (HIA).

When it comes to the role of a privacy officer, the third parties with whom you may interact can be broken down into three categories:

1. Clinic staff (including contracted organizations) 2. Patients and individuals

3. Authorities

While it is not possible to anticipate every question that you will be asked, providing key information and access to resources or individuals within the organization who can provide further information will always be beneficial to the clinic, its physicians and patients.

Contact with Staff

The staff at your clinic will have most of the interactions with patients and physicians. Staff knowledge of your clinic's policies and procedures will be the key success factor when it comes to your clinic's compliance with privacy laws.

Communicate Often and Network

In order to avoid privacy from becoming an afterthought, you should communicate with your clinic staff, physicians and contractors on a regular basis to remind them of the importance of privacy.

Here are a few suggestions for engaging staff:

 Consider scheduling lunch break information sessions in which a privacy topic from the news, the Office of Information and Privacy Commissioner (OIPC) of Alberta or your very own clinic is discussed. This provides an opportunity to give your staff gentle reminders about how things should be done and how your clinic could operate better.

 Add privacy as a standing agenda item to staff meetings. Present an aspect that is relevant to your clinic. Make it your objective to deliver one simple key message each time and try to solicit questions from your audience.

 Get to know and stay connected with other individuals that have a role similar to yours in other clinical environments. These relationships can help you with ideas and to learn from others.

The key is to make any content you present relevant to your audience through the use of carefully chosen examples, cases or presenters.

Engage Employees

Clinic staff is accountable for privacy and should feel involved in the privacy and security strategy of your clinic. Remind them regularly of the "Do's and Don'ts" of patient privacy and encourage them to seek advice from you if they are unsure about the appropriate course of action.

Provide training to your employees as a way to empower them to make the right decisions and better evaluate the consequences of their actions before they proceed. Training is a proactive measure that will greatly benefit your clinic in making sure that responses given to patients and general actions are consistent across employees.

(26)

Reinforce staff engagement by encouraging employees to document difficult or unclear situations that they encounter. Use this information to develop a procedure manual for each staff role in your clinic and the specific privacy topics with which each role should be familiar. A list of frequently asked questions and answers is also helpful.

Be Seen as a Partner

When you discuss privacy protection with your clinic staff and contractors, position yourself as a resource rather than the person who is only there to enforce policies and procedures. Develop and refine your skills in giving and receiving constructive feedback and be consistent in the style and frequency of your communications. In order for everyone to benefit from your efforts, the approach you choose will have to take into account the type and size of your clinic.

Contact with Patients and Individuals

The privacy officer has an important role to play with individuals. This aspect of your role is included in the HIA. The intent of the legislation is to make it simpler for patients to have their questions about privacy answered by providing them with a single point of contact at a clinic. Begin your contact by posting a notification of collection in your waiting room, reception area or in the exam rooms. This document makes your new or existing patients aware of the clinic's need to collect health information to provide health services. It should also include information on how to reach you - the clinic privacy officer.

Most of the time, individuals will contact the privacy officer to make a request to access the health information contained in their record at your clinic. Your role is to assist individuals (called applicants in the legislation) with their requests and to act as the interface between these

applicants and the physicians who are the custodians of the records.

It is important you make yourself familiar with the aspects of access requests:

 Information that can be disclosed

 Information that must be disclosed

 Information that can be withheld

 Severing information

 Identity of applicant

 Applicable fees

Physicians at your clinic have a duty to assist applicants and respond to them as openly, accurately and completely as possible, and if the applicant requests it, provide explanations of the terms, codes and abbreviations used in the record provided to them.

Contact with Authorities

There are a number of situations in which custodians at your clinic may have to interact with third parties that do not belong to the general public. These include professional bodies (such as the College of Physicians & Surgeons of Alberta), researchers, Alberta Health, law enforcement authorities or the Office of the Information and Privacy Commissioner (OIPC) of Alberta.

Your role as a privacy officer is to act as the central point of contact. This serves several purposes:

 Ensures consistent processing of requests from third parties

 Facilitates work for your clinic's custodians and staff

 Minimizes disruption to your clinic's operation

(27)

related to one of their members (physician or other).

Researchers, who could be physicians at your clinic or other individuals, may contact you to

use health information. If this is the case, it is important you understand provisions of the HIA with regards to research involving health information.

For more information about research and the HIA, please review section 8 of the Health Information Act - Guidelines and Practices Manual.

Alberta Health monitors the use of and access to the health system, and as such, conducts

investigations in cases of suspected abuse or fraud. In addition, Alberta Health conducts

monthly audits of access logs to Alberta Netcare to make sure that this province-wide electronic health record is only used for job-related purposes.

Law enforcement authorities may request health information about individuals in particular

situations. In some cases, health information may be disclosed without the individual's consent. In those cases, you will most likely have to work in collaboration with custodians at your clinic, and carefully document how a decision is made, and if a disclosure occurs, make sure to keep track of this disclosure.

For more information, please review the Disclosure to Police section of the OIPC guide Health Information, A personal matter - A practical guide to the Health Information Act.

The Office of the Information and Privacy Commissioner of Alberta will contact your clinic

to investigate complaints from individuals or in the case of a serious privacy breach at your clinic. Their investigation of any issue that arises will be greatly facilitated by the presence of a single contact that is familiar with the clinic's operations, as well as privacy policies and

procedures.

Module 5 Case Study

A clinic uses the services of a clinic physician's wife to perform transcription. She usually

receives electronic recordings on a USB flash drive and attaches the transcribed version directly to each patient's record by remotely connecting to the clinic EMR from home.

The transcriptionist reports to the clinic that her car has been broken into and her keys, the USB flash drive used to store recordings for transcription and her husband's Netcare security token (also known as a FOB) have been stolen. She asks what she should do.

Choose the best course of action for this particular situation:

A. Investigate to find out what information is contained on the USB flash drive, then

document findings, notify patients, authorities and Netcare and change the clinic's locks B. Change locks at the clinic, give the transcriptionist your Netcare security token and hope

no one ever finds out

C. Determine information on the USB flash drive, notify the OIPC, notify patient(s) if confidentiality was compromised, remind staff to use encryption for all mobile devices holding health information, change locks at the clinic and notify Alberta Netcare that the security token should be revoked

The answer is C. Determine information on the USB flash drive, notify the OIPC and POSP, notify patient(s) if confidentiality was compromised, remind staff to use encryption for all mobile devices holding health information, change locks at the clinic and notify Alberta Netcare that the security token should be revoked.

(28)

The issues presented in this case are:

 Non-encrypted health information is potentially present on the stolen USB flash drive and patient confidentiality could be compromised

 Clinic security is compromised because keys were stolen

 Netcare security token was stolen

1. The missing USB flash drive could contain health information, which could constitute a breach of patient privacy. Determine what information was stored on the USB flash drive. If it did contain health information, determine if it was encrypted. Notify the OIPC for guidance and information. The impacted individuals (patients) should be notified. It is highly recommended you thoroughly document all actions taken and findings.

2. Stolen keys mean someone could gain access to the clinic after hours. You should have locks changed and keys replaced for all personnel who require access. In addition, it may be a good opportunity to review who has keys to the clinic (based on the checklist you maintain for each individual working at the clinic) and whether their duties actually require them to have a key. Lastly, if the clinic does not have an alarm system, it may be a valuable addition.

3. The loss of the remote access Netcare security token represents a risk. While this device alone does not allow access to a system, the issuing party should be notified and the device revoked.

Module 5 Summary

The role you have to play as a primary point of contact for multiple stakeholders is an important one. It will require you to:

 Be aware of clinic privacy policies as well as clinic operations

 Handle stressful or potentially urgent situations

(29)

Review and Conclusion

Maintaining the privacy and confidentiality of the health information in your clinic means applying administrative, physical and technical safeguards. Review your clinic's polices on a regular basis and discuss with your staff.

Your best chances of success in this role lie with regular compliance activities and proper preparation.

You are not alone. Resources exist to help support privacy officers and staff.

Further guidance can be found in the document Health Information, A personal matter - A practical guide to the Health Information Act published by the OIPC.