Introduction
Alberta legislation grants the right to privacy for individuals, and it also outlines a number of requirements that apply to healthcare professionals. This includes designating a clinic privacy officer. The appointment of a designated privacy officer is a key aspect of a clinic’s protection of privacy and health information.
The relationship that physicians and their teams have with their patients is based on trust. Your patients trust the clinic team to make the right decisions for their health and they trust the staff to protect their privacy and health information.
This handbook presents the various duties a privacy officer must assume in a clinic and provides useful information about how privacy officers can meet the expectations that come with this role.
Designating a Clinic Privacy Officer
The clinic privacy officer role is a requirement under the Health Information Regulation Section 8(2)
As the privacy officer for your clinic, you are the “go-to” person for information about Alberta’s Health Information Act (HIA). You are responsible for ongoing privacy and security policies and practices, and for emerging privacy and security issues that impact your clinic’s operational processes.
- It is vital that everyone in the clinic knows who the privacy officer is in order to direct incoming requests and emerging issues appropriately.
- It is important to note the privacy officer often depends on the Electronic Medical Record (EMR) vendor for many security functions, especially those of a technical nature.
The privacy officer can be a clinic physician or a responsible affiliate (for example, a clinic manager). To be successful in the role of a clinic privacy officer, an individual should have the following important skills:
- An understanding of EMR technology
- Familiarity with privacy principles
- An interest in learning more about privacy requirements and a commitment to staying current
- Knowledge of the clinic’s operations
- Rapport with clinic physicians and staff
Privacy Officer Quick Tips
The biggest privacy risk is internal misuse. Here are some tips to reduce your risk as it relates to staff:
- Engage employees so they feel accountable and involved.
- Act and be seen as a partner in privacy and security compliance.
- Network and communicate frequently.
- Develop and offer tools to make compliance easy.
- Embed awareness of clinic privacy requirements in staff behavior and organizational culture.
- Privacy is not an afterthought.
- Implement role-based hands-on procedures.
This enables you to respond to new issues as they arise and provide ongoing updates to employees to ensure that they can respond appropriately in the circumstances.
This strategy will help you address concerns about your privacy policies and practices and enhance your privacy training program.
While it is not possible to anticipate every question that patients will ask, providing key information and access to resources or individuals within the organization who can provide further information will help both patients and employees understand the clinic’s practices.
- Privacy and security self-assessment templates allow you to review your clinic’s policies and procedures and can indicate where you need to improve clinic procedures.
- Privacy training programs are available through the AMA.
Responsibilities of a Clinic Privacy Officer
The following list outlines the duties for which the clinic privacy officer is responsible, along with practical implications for each of these. Additional information is available in the Privacy Officer Advanced Training Curriculum through the AMA.
The duties of a privacy officer are divided into four key categories:
-
Develop privacy policies and procedures and keep them up to date
Goal: to make sure legislation and clinic policies are being followed
Privacy Privacy Training OIPC Breach NotificationTasks
Tips
Develop a process for updating privacy policy information.
The AMA has created 12 policy guidance documents to help you create the most requested policies in your clinic.
Set up a reminder for reviewing policies.
Review and stay current with regulatory requirements.
Check out the OIPC website and AMA website on a regular basis. Take privacy training for Privacy Officers.
Ensure Doctors, Staff, and Affiliates are aware and have access to Clinic’s Privacy/Security Policies/Procedures.
Provide new staff and physicians with all privacy policies when they start at the clinic.
Communicate policy and procedure changes with staff and physicians.
Determine the best way to do this for your clinic, eg. clinic team meetings.
-
Ensure clinic staff and vendors are aware of their privacy obligations
Goal: To make sure that the key safeguard of staff training is implemented.
Tasks
Tips
Coordinate overall privacy training for all staff and physicians in the clinic.
The AMA provides a comprehensive free program. You could consider doing the training as a team.
Track and ensure that privacy training is completed by all staff and physician
Create a tracking form or if you use the AMA training, print out the available report as needed
When necessary, provide training about changes in privacy legislation or changes in clinic policy
Determine the best way to do this for your clinic, e.g., clinic team meetings (5-minute privacy moments), privacy bulletin board, lunch and learns, etc.
Ensure all personnel have access to resources and support
Make sure that they know where to obtain the latest info.
Training Staff About Privacy Privacy Training -
Monitor your clinic’s ongoing compliance with the HIA
Goal: Ensure Security and Protection of Health Information in Custody/Control of Clinic
Assessing Risk and Implementing Safeguards Privacy and Security Risk Assessment Notice of Collection Disclosure Consent Form Types of Privacy AgreementsTasks Tips
Implement and review safeguards on a regular basis to protect patient health information
The safeguards are classified as physical, administrative, and technical (PAT). The AMA has created a tool to help review safeguard and create an action plan.
Ensure a disclosure log is implemented and used consistently
The disclosure log must include date, requester name, patient name, information released, method of disclosure and sign off.
Audit EMR logs regularly
Use the handbooks that are available from the EMR vendors. Make sure that you print and review the audit logs. Consider setting up a reminder for yourself.
Post Privacy notices (about how your clinic collects Info)
This is a requirement under the HIA. There is an editable template on the AMA website.
Create consent forms and ensure they are utilized appropriately
There is a consent form on the AMA website that you can adapt.
Review confidentiality agreements with staff and Information Manager Agreements with vendors and ensure compliance
Use the template on the AMA website and make sure to keep a copy in a secure location (e.g., personnel files, locked cabinet, electronic folder)
Participate in updating your clinic’s PIA with new practice or system changes, that affect collection, use and disclosure
Turn your PIA into a tool that you use. Consider offering training about what is in the PIA, or creating a table of the policies contained in the PIA for quick reference
Always maintain an electronic or paper copy of the clinic PIA(s) in your business records
Ensure that the PIA is in a well-known location and can be reviewed and updated as needed.
-
Act as the primary point of contact for staff and third parties such as patients, vendors and authorities
Goal: to ensure that the Health Information Act is being applied correctly
Breach Management Policy Responding to a Privacy Breach Breach Documentation FormTask
Tip
Be the primary contact for access and disclosure requests, and correction of Information requests The AMA Common Questions for Privacy Officers Advanced course is a great resource Review patient & client privacy complaints Keep a record of the complaints and follow up. This will help you address common issues in the clinic Answer questions from physicians and clinic staff Make sure you are referencing your clinic’s policies and procedures In the event of Privacy Breach follow the Breach Management Policy Download the Cheat sheet and Breach Documentation form and have it handy when a breach is suspected
The privacy officer journal is an administrative document of the clinic. When a new person becomes the clinic privacy officer, the journal should be passed to each subsequent incumbent. The privacy officer journal can be maintained electronically, in notebook format or as a binder—choose the format that is convenient and most likely to be maintained consistently over time.
Sample format:
|
Date |
Type of Note |
Notes |
|
2021-Jan-31 |
Change in EMR access request policy |
New clinic physician and staff required to fill out EMR access request form prior to account creation |
- Health Information Act: Guidelines and practices manual (2011)
- Health Information Act guidelines and practices manual Chapter 15: 2020 amendments (April 2021)
- Health Information Act Guidelines and Practices Manual: Duty to Notify; Chapter 14 (August 2018)
- Health Information: A Personal Matter – A Practical Guide to the Health Information Act (OIPC)
This section provides definitions of terms used in applicable privacy legislation and clinic policies and procedures.
|
Term |
Definition |
|
|
Affiliate |
An individual employed by a custodian; a person who performs a service for the custodian as an appointee, volunteer or student under a contract or agency relationship with the custodian; and a health services provider who has the right to admit and treat patients at a hospital as defined in the Hospitals Act. Source: Health Information Act Guidelines and Practices Manual 2011 |
|
|
Authorized representative |
Any person who can exercise the rights or powers conferred on an individual under applicable privacy legislation. This includes the right of access to an individual’s health information and the power to provide consent for disclosure of such information. |
|
|
Collect |
To gather, acquire, receive or obtain health information. Source: Health Information Act, Section 1(1)(d) |
|
|
Consent |
An individual giving permission to have their information collected, used or disclosed to someone else. When consent is given, it must be documented, given for a specific purpose and duration, freely obtained and informed. |
|
|
Custodian |
A health services provider, individual, board, panel, agency, corporation or other entity designated as a custodian in the Health Information Act (HIA) or regulations, responsible for compliance with the HIA. Custodians under the HIA include: |
|
|
• Physicians & surgeons • Pharmacists • Optometrists • Opticians • Chiropractors • Midwives • Podiatrists • Denturists |
• Ambulance operators • Registered nurses • Dentists and dental hygienists • Hospital boards • Alberta Health |
|
|
Source: Health Information Act, Section 1(1)(f) |
||
|
Disclosure |
The act of revealing, showing, providing copies, selling, giving or relaying the content of health information by any means to any person or organization. |
|
|
Expressed wish |
Instructions given by a patient to a health services provider with regards to disclosures of their health information. This request must be documented and considered before subsequent disclosures of information. |
|
|
Health information |
One or both of the following: (i) diagnostic, treatment and care information; (ii) registration information. Source: Health Information Act, Section 1(1)(k) |
|
|
Health Information Act (HIA) |
An act of the Alberta legislature governing an individual’s right to request access to health records in the custody or under the control of the custodians, while providing custodians with the framework within which they must conduct the collection, use and disclosure of health information. The act also covers the actions of affiliates. |
|
|
Information manager |
Person or body that stores or provides one or more of the following services and functions: • Processes, stores, retrieves or disposes of health information • Strips, encodes or otherwise transform individually identifying health information to create non-identifying health information (in accordance with the regulations) • Provides information manager or information technology services Examples include EMR vendors, shredding companies, IT services companies, transcription service companies or anybody who encodes or modifies health information. |
|
|
Information Manager Agreement (IMA) Information Manager Agreement (IMA)
|
A legislative requirement when a custodian hires an information manager. The agreement must contain clauses that address the following (note that this list is not exhaustive): · Services to be provided by information manager to the custodian · Information manager’s authority to collect, use or disclose health information provided by the custodian · Responsibilities of information manager under this agreement · Indemnity and Hold Harmless – the information manager’s accountability for all requirements identified in this agreement · Policies and procedures to protect health information · Term and termination of the agreement Source: Health Information Act, Section 66(2) and Health Information Regulation, Section 7.2 |
|
|
Information Sharing Agreement (ISA) |
In the context of EMR implementations, the legal contract between clinic organizations and EMR vendors that defines the data stewardship rules and processes to which the parties have agreed. It establishes the roles, expectations and accountabilities of each of the parties in their stewardship of the medical information in their custody. The information sharing agreement (ISA) represents the operational application of health policy by physicians and is a major determinant for the structure and processes in EMR deployments and other medical record initiatives. According to the College of Physicians & Surgeons of Alberta key elements of an ISA include: • Identification of the needs and objectives of the key stakeholders • Principles that guide the development and maintenance of the agreement • Details of the information uses and disclosures • Details of the products and services available • Transition services (entering and exiting the agreement) • Record retention and access • Definition of the service levels • Roles and responsibilities of each party to the agreement • Financial and legal terms Governance and administration processes (including the makeup of the governing body and the dispute resolution process) |
|
|
Office of the Information and Privacy Commissioner (OIPC) |
An Alberta office established in 1995 to assist the Commissioner to fulfill a mandate under the Freedom of Information and Protection of Privacy Act (FOIP Act). In 2001, the Commissioner’s jurisdiction expanded to include regulatory responsibilities for the Health Information Act. In January 2004, the Commissioner was given oversight responsibilities for the Personal Information Protection Act. |
|
|
Personal Information Protection Act (PIPA) |
An act of the Alberta legislature that protects individual privacy by requiring, in most cases, private-sector organizations to obtain consent for the collection, use and disclosure of personal information and providing individuals with a right of access to their own personal information. |
|
|
Privacy breach |
In general terms, a violation of a privacy rule. In the context of privacy, any unauthorized access, collection, use, disclosure, loss or destruction of health information protected under the Health Information Act, or other information protected under other acts. |
|
|
Privacy impact assessment (PIA) |
A due diligence exercise in which a custodian responsible for collecting, using and disclosing health information identifies, analyzes and addresses potential privacy risks that may occur in the course of a clinic’s operations. PIAs assist custodians in reviewing the impact that new programs, systems and practices may have on individual patient privacy and ensure that changes are evaluated to be compliant with the Health Information Act. |
|
|
Privacy officer |
An individual who is a custodian or an affiliate and who is designated to be responsible for: • Developing policies and procedures and keeping them up to date. • Ensuring that individuals working at or for a clinic are aware of their obligations. • Monitoring ongoing compliance with the Health Information Act. Acting as a primary point of contact for patients and other organizations like the Office of the Information and Privacy Commissioner or other regulatory bodies. |
|
|
Record |
Information in any form, including notes, images, audiovisual recordings, books, documents, maps, drawings, photographs, letters, vouchers, papers and any other information that is written, photographed, recorded or stored in any manner. Does not include software or any mechanism that produces records. Source: Health Information Act, Section 1(1)(t) |
|
|
Use of health information |
To apply health information for a purpose, including reproduction of the information. Accessing information available through Alberta Netcare is considered a use, not a collection. Source: Health Information Act, Section 56.5(2) |
|
| Stakeholders and Authorities | For Assistance With |
|
Alberta Netcare Provincial Service Desk Local: 780.412.6778 Toll Free: 877.931.1638 Hours: 24/7 |
|
|
Office of the Information and Privacy Commissioner of Alberta 1.888.878.4044 |
|
|
eHealth Netcare Support Services Team Toll Free: 855.643.8649 Email: [email protected] Hours: 8:15 a.m. - 4:30 p.m. |
|
|
RSA Token Support Toll Free: 844.542.7876 |
|
|
Health Information Act (HIA) Help Desk Local: 780.427.8089 (Toll free in Alberta 310.0000) Email: [email protected] Hours: 8:15 a.m. - 4:30 p.m. Monday - Friday |
|
|
College of Physicians & Surgeons of Alberta General inquiries: 1.800.561.3899 Questions about billing or PracIDs 780.422.1522 Alberta Health |
|
Learn@AMA Training
Enrol your medical clinic in AMA's free privacy training tailored to physician, privacy officer and staff roles through Learn@AMA sign-up your whole community-based clinic team today!
Enrol Today!Developed by
