Building a strong Clinic Privacy and Security Program is the best way for physicians and their teams to mitigate risks. In order to successfully develop and incorporate a program into your day-to-day work, your team must know what it means to be privacy-aware and fully understand how their individual roles support the whole clinic’s goals.
Privacy Roles
There are several roles within a clinic that support privacy compliance and build a comprehensive Clinic Privacy and Security Program. Understanding how each role can work together as a team to ensure the best privacy practices are in place is key.
Custodians
Custodians of health information are typically the physicians within the clinic who have custody over the patients’ information. They control how information is collected, used, and disclosed, and take reasonable effort to protect and safeguard the information from unauthorized disclosure, use, modification or inaccuracy.
Along with overseeing the protection of patients’ health information, custodians are responsible for all the elements of the Clinic Privacy and Security Program. They maintain administrative, technical and physical safeguards that will protect the confidentiality and security of any health information.
Custodians establish or adopt policies and procedures to be privacy compliant according to the Health Information Act (HIA), they have final approval of the clinic’s Privacy Impact Assessment (PIA) before it’s submitted to the Office of the Information and Privacy Commissioner of Alberta (OIPC), they are responsible for reporting and mitigating privacy breaches and are responsible for appointing a clinic privacy officer.
A lead custodian is a physician who has been chosen to manage the entire clinic’s privacy compliance. This is common practice within a clinic where there are multiple physicians working.
The lead custodian will assume the responsibilities of the Clinic Privacy and Security Program on behalf of the other physicians and be the point person for the overall management of the program. They are also responsible for ensuring proper agreements are in place with staff and vendors, and they become the decision-maker and signatory for privacy matters (e.g. releasing records).
Privacy Officer
The role of privacy officer is delegated to an individual within the clinic by the custodian or lead custodian. It is customary for the office manager, lead nurse, medical office assistant, or other leadership personnel to be named the clinic’s privacy officer. It is advisable to appoint someone other than the lead custodian to be the privacy officer to ensure they are readily available to answer staff and patient questions.
The responsibilities of the privacy officer are key to the success of the Clinic Privacy and Security Program as it is their duty to ensure compliance with the HIA. The privacy officer also oversees the implementation and adherence of the clinic’s privacy practices, including the clinic’s policies and procedures, monitors employees and the systems utilized to collect, use, disclose and access health information, as well as they are responsible for frequently training all staff (custodians and affiliates) on privacy and security matters and best practices. Should a privacy breach occur, privacy officers are the point person for the OIPC.
Affiliates
The title of affiliate is given to any personnel (other than the lead custodian) who is providing care or a service within the clinic. This includes reception staff, registered health providers, any physician not appointed lead custodian, locums, students, contractors, volunteers, IT companies, etc.
All affiliates are responsible for following and adhering to the Clinic Privacy and Security Program. They must know the details of the program and follow a clinic’s policies and procedures, understand how to be privacy compliant, attend training courses to stay current and informed, and know when to direct questions and confirm uncertainties with a custodian or privacy officer.
Information Managers
An information manager is any individual or company that provides health information management and technology services. This includes processing, storing, retrieving, disposing of, stripping, encoding, or otherwise transforming any clinics’ patient health information including electronic medical record (EMR) vendors, information technology (IT) providers, shredding companies, etc.
It is the responsibility of information managers to ensure that all health information in their possession is properly safeguarded as directed by the HIA. Custodians and information managers are required to sign an Information Manager Agreement before entering into business with each other. This agreement outlines how the health information will be collected, used, and disclosed, as well as the steps that will be taken regarding expressed wishes, term and termination of the contract, and retention and disposal of information.