Member Menu

Assessing Risk and Implementing Safeguards

Privacy and security risk assessments are conducted by clinics to determine if there are gaps in a clinic’s privacy and security policies, practices and procedures. 

To ensure that proper safeguards for protecting information are in place, Risk Assessments are completed on a regular basis (e.g., annually) and with any changes to the collection, use and disclosure of health information. This is the custodians’ and Privacy Officer’s obligation under the Alberta Health Information Act (HIA). Completing a risk assessment is an easy way to ensure that your clinic stays compliant.

  1. Step 1

    Use the Privacy and Security Risk Assessment Tool to review the potential risks and ensure that the suggested safeguards are implemented.

    Privacy and Security Risk Assessment

    Key Resources to Assist

    Physical

    • Check for basic physical safeguards (e.g. computer screens facing away from public, playing music to limit the overhearing of health information, ensuring locks and alarm are in place and functioning properly). The best way to do this is by walking around the clinic with the checklist and inspect the safeguards.

    Administrative

    • Confirm staff understands how to keep information safe (training)
    • Ensure policies and procedures are relevant to your practice (routine review)
    • Review audit logs (logging access and what is viewed)
    • Review access controls (what staff have access to electronically and physically)

    Technical

    • Ensure regular changing of passwords
    • Ensure stored health information is protected by encryption, two factor authentication
    • Ensure firewalls, antivirus, software updates are current

  2. Step 2

    Create an action plan for each of the gaps identified in Step 1. A simple spreadsheet format is presented in the assessment tool. 

  3. Step 3

    Use the action plan that you have created to implement and track your progress. 

  4. Step 4

    Save the spreadsheet in a safe place and refer to it if you are asked for documentation of what safeguards are in place. This could be requested in the event of a breach or when preparing a privacy impact assessment.

  5. Step 5

    Review the previous years’ assessment and plan and update your assessment for the current date.

Learn@AMA Training

Enrol your medical clinic in AMA's free privacy training tailored to physician, privacy officer and staff roles through Learn@AMA sign-up your whole community-based clinic team today!

Enrol Today!
Developed by