Have you ever had an employee who has made a mistake and now you’re scrambling about what to do next?

Your business needs a set of reasonable rules and guidelines for employees to follow. This helps to create a safe and respectful workplace and protect the privacy rights of your patients and employees.

Your healthcare practice should have a written policy and procedure to guide you in your response to a privacy and security incident.

Sometimes, our employees have been directly involved in the incident. For example:

• Petty theft (personal gain)
• Snooping in patient or employee records (disregarding policies)
• Faxing a report to the wrong recipient (carelessness)
• Using patient or employee information to cause harm (malice)

When employees and healthcare providers fail to meet our expectations sanctions or discipline may be appropriate.

In this episode #105 of the Practice Management Nuggets Podcast, guest human resources expert Stacey Messner, Leader in HR gives practical advice to clinic managers and privacy officers to navigate difficult conversations after an employee makes a mistake, addressing employee performance improvement and workplace restoration practices.

Show Notes

00:00   Welcome

01:00   Introduction Stacey Messner, Leader In HR

StaceyMessner.com

05:29   Stacey Messner’s #1 Tip for Healthcare Providers and Clinic Managers about managing human resources.

06:37   Scenario: Privacy incident in Ontario using workplace restoration

Office of the Information and Privacy Commissioner (IPC), PHIPA Decision 163. 20221-10-19. https://decisions.ipc.on.ca/ipc-cipvp/phipa/en/item/515275/index.do

10:09   Workplace restoration is about trust

14:39   Scenario: Looking at patient records

17:36   HR Checklist

19:16   What happened from their perspective? Being a better listener

26:37   Other scenarios

33:29   Consequences – Practice Management Success Tips

34:21   Get Stacey Messner Listen Differently Tip Sheet at https://StaceyMessner.com  

See all the show notes: https://PracticeManagementNuggets.Live

Healthcare Employers, Privacy Officers Need To Prevent Employee Snooping

Human curiosity, interpersonal conflicts, shaming or bullying or financial gains are common motivators for snooping. We seem to be hard-wired to want to peek into someone else’s personal and private information. Snooping is a violation of trust between our patients and the healthcare providers and the people who work for them.

We want our patients to trust us. We need patients to share their personal information with us so that we can provide the appropriate health services to them. When healthcare providers and employees snoop in our patient’s information we destroy that trust with the patient. When employees are snooping in personal health information, it costs the employer time and money.

What Is Snooping?

Looking at someone’s personal information without having an authorized purpose to access that information to do your job is known as ‘snooping’.

Even when you are “just looking” at personal information but don’t share that information with anyone else, this is still a privacy breach.

It is illegal.

Snooping incidents are on the rise and can cost you time, money, heartache, and headache in your practice.

When there is an offence under the privacy legislation like the Health Information Act, there may be an investigation, charges and court appearances, fines, penalties, and loss of employment.

Snooping is entirely preventable. You can easily use the 5 low-cost steps to prevent employee snooping in your healthcare practice.

How Can You Prevent Employee Snooping?

Let’s take a look at the pro-active steps that you can take today to prevent employee snooping.

Show Notes

00:00 5 Steps To Prevent Employee Snooping   *start podcast here

01:01 What is Privacy? What is a Privacy Breach?

01:29 What Is Snooping?

03:08 Step 1. Be A Privacy Champion

03:25 Name A Privacy Officer - Accountability

04:41 Policies And Procedures

05:11 Build Privacy Into Everything You Do

05:20 Step 2. Train

08:13 Step 3. Reasonable Safeguards

09:34 Step 4. Monitor

10:21 Step 5. Consequences

10:48 Sanctions and Discipline Policy

11:08 Privacy Breach Reporting

11:17 Employee Snooping

13:05 Summary 5 Steps

https://informationmanagers.ca/5-steps-to-prevent-employee-snooping/

Key word Searchie https://PracticeManagementNuggets.Live/search  

Use Table-Top Privacy Breach Fire Drills to Protect Your Practice

Healthcare providers, owners, and privacy officers hear about big privacy breaches on the news and hope it won’t happen to them. It keeps them up at night...because they know that properly preventing or managing a privacy breach is critical to the continued success of their business!

If a privacy and security incident hits, you will be in crisis mode. This is not the time to read your procedures for the first time. Instead, having a solid, approved, and well-tested privacy breach management plan will be critical to an effective response.

Invest now in table-top exercises or ‘fire drills’ with your privacy incident response team using a simple privacy breach scenario. Use your written policies, procedures, forms, and create sample privacy breach response plans or ‘playbooks’ for different types of scenarios. This will help you to be better prepared in the event of an incident and—even better—help you to prevent a privacy breach in your healthcare practice.

Recorded February 23, 2021

Show Notes

00:38  Introduction Jean L. Eaton

00:45  Find an example.

Saskatchewan IPC finds ransomware attack results in one of the largest privacy breaches in this province involving citizens’ most sensitive data. January 8, 2021 - Ron Kruzeniski, Information and Privacy Commissioner. https://oipc.sk.ca/saskatchewan-ipc-finds-ransomware-attack-results-in-one-of-the-largest-privacy-breaches-in-this-province-involving-citizens-most-sensitive-data/

04:15  4 Step Response Plan

05:20  Step 1 Contain the Breach

05:50  Step 2 Evaluate the Risks

06:54  Step 3 Notify

07:19  Step 4 Prevent The Breach From Happening Again

Do you need help to create your privacy breach management plan – and a mentor to help you get it done? Check out the 4 Step Response Plan https://informationmanagers.ca/4-step

Have some of your employees been working remotely during COVID-19?

If schools re-open with children attending alternate days, will your employees continue to work from homes on alternate days?

Do the social distancing guidelines for re-opening suddenly limit the number of employees who can work out of your current space?

Or, are you considering changing your business structure to include remote working as your new business model?

In this podcast, Jean L. Eaton will discuss privacy breach risks when remote working - and how you can prevent them!

Get the show notes and links to the templates at https://PracticeManagementNuggets.Live 

 

Organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law, are required to report to the Office of the Privacy Commissioner (OPC) any breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals. They also need to notify affected individuals about those breaches, and keep records of all data breaches within the organization.

On today's podcast, PIPEDA’s Mandatory Privacy Breach Notification, we will look at how PIPEDA applies to healthcare organizations and the vendors that support them.

The Privacy Commissioner shares lessons learned after one year of mandatory breach reporting requirements under PIPEDA.

Does PIPEDA Apply To You?

PIPEDA applies to private sector businesses across Canada with the exception of Quebec, Alberta, and BC. In these provinces, provincial legislation wish is substantially similar to PIPEDA applies. In all cases, businesses which handle personal information which crosses provincial or national borders fall under PIPEDA regardless of which province that they are based in.

In Alberta, we have privacy legislation called the Health Information Act (HIA) that takes precedence over PIPEDA and Alberta's Personal Information Protection Act, (PIPA). If a business, like a physician's office, has a privacy breach which includes health information, then the custodian of the physician office must report the privacy breach following the HIA regulations. If it's employee information or other non-health information is included in the breach then that triggers privacy breach notification under PIPA. Sometimes, a breach can include both types of information and the physician office must notify under both legislation.

In BC the Personal Information Protection Act (PIPA) is BC's private sector privacy laws has also been deemed substantially similar to the federal private sector privacy law. BC does not have health information specific privacy legislation, so PIPA applies to private organizations in BC, including physician practices, and governs how the personal information about patients, employees and volunteers may be collected, used and disclosed.

If you are a business in Canada, for example, an electronic medical records (EMR) business and you have a data center in Canada where all of your clients provide their information and store it in your data center, the EMR vendor likely falls under the PIPEDA regulations.

The vendor may be responsive to other legislation as well. If you are an EMR vendor, you do not directly comply with the HIA in Alberta because that applies only to custodians. However, as an information manager of a custodian under the HIA, you have some obligations under the HIA in the event of a privacy breach. But that does not mean that you don't also have obligations under PIPEDA.

Listen to the podcast to learn more!

Show Notes

You can advance the audio to the time entries

03:00  PIPEDA

03:18  Does PIPEDA apply to you?

04:11  Alberta

04:53  British Columbia

05:26  EMR vendor and businesses that support healthcare practices

06:52  What is personal information

07:44  Why is privacy important?

In 2017, 65% of large organizations with more than 100 employees indicated that they were privacy aware, but only 43% of small businesses indicated that they were privacy aware.

09:11  What Is A Privacy Breach

12:44  PIPEDA Mandatory Privacy Breach Reporting Process

12:55  Keep Records

13:27  ROSH

14:04  Report to the OPC

14:10  Notification

Information Manager Agreement – should indicate if a vendor should directly notify a patient about the privacy breach or if the custodian will do the notification. The Information Manager Agreement should also identify which party (parties) is responsible for the cost of notification.

See the Practice Management Success Tip – Top 3 Agreements https://InformationManagers.ca/Top-3

15:46  What is ROSH?

17:47  What information, circumstances of the breach.

19:33   CASL Canada’s Anti-Spam Legislation

20:34  Good Privacy Is Good For Business

When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

How to Manage a Privacy Breach with Confidence

The 4 Step Response Plan will help you with prevent privacy breach pain and give you the tips, templates, training, and tools that you can use right away to prepare your privacy breach response plan:

In the world of privacy breaches ‘If’ has become ‘When’. Will you be ready?

Click here for more information on the on-line 4 Step Response Plan course available now!

https://informationmanagers.ca/4-step

---

New! Podcast Key Word Search Tool

Did you hear something on today’s podcast that you would like to go back and listen to again?

Or, maybe you heard something on one of our previous podcasts that you want to listen to again, but you can’t remember which one and you would like to find it quickly and easily.

Well, that’s easy to do now!

If you heard something on this podcast that you want to re-visit, go to PracticeManagementNuggets.Live/search and enter the keyword in the magic box.

You will automatically be brought to the podcast at the exact spot where we talked about it.

---

Rate and Review the Podcast

I am honoured that you choose to spend your time with me today. Thank you for the opportunity to share my obsession about privacy, confidentiality and security with you!

Reviews for the podcast on whatever platform that you use is greatly appreciated!

When you provide your honest feedback it helps other people just like you find content that may help them, too.  If you received value from this episode, please take a moment and leave your honest rating and review.

Jean L. Eaton, Your Practical Privacy Coach

and Your Practice Management Mentor

with Information Managers Ltd.

 

Subscribe: itunes | Email | Stitcher | RadioPlayer |

The way a healthcare provider collects, uses and discloses personal health information (PHI) is critical to an efficient healthcare practice.

It’s also required by legislation and professional college regulations and standards.

Policies and procedures must be in writing, available to employees, and monitored to ensure that they are followed. Otherwise, you face all sorts of risks, including privacy breaches and other legal problems.

Don't let this happen to you!

Everyone in a healthcare practice — including front office staff, wellness practitioners and physicians and other custodians — must be aware of and follow these policies and procedures.

These policies and procedures also become the foundation of your privacy impact assessment (PIA).

That’s why, in this Practice Management Nugget, we’ll review a privacy breach investigation report from Alberta's Office of the Information and Privacy Commissioner (OIPC).

 When we know better, we can do better…

I’ve helped hundreds of healthcare practices prevent privacy breach pain like this. If you would like to discuss how I can help your practice, just send me an email. I am here to help you protect your practice.

PRIVACY BREACH NUGGETS are provided to help you add a ‘nugget' to your privacy education program. Share these with your staff and patients as a newsletter, poster, or staff meeting.

Jean L. Eaton, Your Practical Privacy Coach

References

Alberta Office of the Information and Privacy Commissioner. Investigation Report H2019-IR-01 Investigation into alleged unauthorized accesses and disclosures of health information at Consort and District Medical Society Clinic. May 21, 2019. https://www.oipc.ab.ca/media/996888/H2019-IR-01.pdf

---

New! Podcast Key Word Search Tool

Did you hear something on today’s podcast that you would like to go back and listen to again?

Or, maybe you heard something on one of our previous podcasts that you want to listen to again, but you can’t remember which one and you would like to find it quickly and easily.

Well, that’s easy to do now!

If you heard something on this podcast that you want to re-visit, go to PracticeManagementNuggets.Live/search and enter the keyword in the magic box.

You will automatically be brought to the podcast at the exact spot where we talked about it.

This video key-word search tool uses the new Searchie app. If you would like to know more about this, visit InformationManagers.ca/likes-searchie.

 

Snooping is a privacy breach!