Having a privacy compliant clinic is the key to mitigating risks and minimizing breaches. Incorporating routine reviews of your clinic’s policies and procedures, assessing safeguards, providing staff training, regularly checking Electronic Medical Record (EMR) audit logs, and reviewing and updating your Privacy Impact Assessment (PIA) are a few steps your practice can take to building a stronger privacy compliant clinic.
Privacy and Security Self-Assessments
Self-assessments can help you determine if there are any gaps in your clinic’s privacy and security program. Being able to analyze your current program and identify risk will help you mitigate hazards. Use the self-assessment tools to find room to improve within your clinic.
Clinic Privacy and Security Program
Building a privacy and security program in your clinic does not mean you have to change the way in which you do business. In fact, you and your team are likely already doing many components of a program every day. Taking the steps to build stronger practices and ensuring that all elements of a Clinic Privacy and Security Program are being addressed can reduce risks associated with privacy breaches.
The elements of a Clinic Privacy and Security Program include:
- Implementing privacy policies and procedures
- Defining roles and providing training for custodians, privacy officers and clinic staff
- Incorporating safeguards and best practices for securing information
- Building strong data sharing processes and using proper agreements
- Maintaining an up to date Privacy Impact Assessment (PIA)
Roles and Responsibilities
There are a number of privacy roles and responsibilities within a clinic and it’s important to understand how each role can work together as a team to ensure the best privacy practices are in place. The key roles are:
- Custodians are typically physicians in a clinic and are responsible for all the elements of the Clinic Privacy and Security Program.
- Affiliates are the majority of clinic staff (e.g. reception, registered health providers, any physician not appointed lead custodian, students, contractors, etc.) and are responsible for following and adhering to the Clinic Privacy and Security Program.
- Privacy Officers are a required role delegated by the custodian and are responsible to oversee the Clinic Privacy and Security Program and ensure compliance with Health Information Act (HIA).
- Information Managers are anyone who provides health information management and technology services. This includes processing, storing, retrieving or disposing of a clinics’ patient health information including EMR vendors, IT providers, shredding companies, etc.
Privacy Breaches
Privacy breaches can happen at any time and refer to the loss of, unauthorized access to, or unauthorized disclosure of personal information or individually identifying health information. According to the Office of the Information and Privacy Commissioner of Alberta (OIPC), the most common privacy breaches reported include:
- Loss or theft of devices (e.g. laptops, USB sticks) or stolen paper records from vehicle, home or office
- Misdirected communications via email, fax or mail
- Employee “snooping” of patient/client records
- Hacking of computers, servers and websites
- Malicious software (malware and ransomware) or phishing attacks
- Improper disposal of records/devices or failure to wipe hard drives clean
Reporting a Breach
If your clinic determined that there has been a reportable privacy breach, you must notify the OIPC and Alberta Health (minister). Custodians are required to notify the commissioner and minister of health as soon as practicable with both of the following forms:
Any individual whose information was breached will need to be notified immediately. This can be done by secure email or mailed letter. It is important to be transparent about what general information was compromised (but not the detailed data), what steps have been taken to mitigate their risks and provide affected individuals with contact information to the OIPC and your Privacy Officer if they have more questions.