Five Steps to Minimize Privacy Breaches
February 15, 2022
The relationship between physicians and patients is entirely based on trust. Not only do they rely on physicians to provide excellent care, patients also have a right to expect that their private health information will be protected by physicians and clinic staff.
In order to minimize the risk of potential breaches, it is important that all staff strive to create a clinic environment that is privacy aware. To achieve this standard, privacy must be ingrained into the day-to-day practices and culture of the clinic.
Patient privacy should be a primary consideration in all decisions, including the vendors that you will be collaborating with, what patient data you will be collecting, and which policies and procedures are implemented.
The following five steps are ways to create a privacy aware clinic and help minimize the chances of breaches within your clinic.
Step One: Training
As new staff are brought into the clinic, or as policies and procedures are revised, all individuals must be made aware of how to handle patient information in compliance with the Health Information Act (HIA), and how privacy regulations apply to their daily work. Training must also be provided so that staff are able to properly identify cyber threats (such as phishing or ransomware), and so that they are aware of what to do should they suspect a privacy breach.
In addition to clear and thorough instruction about privacy regulations for clinic staff at the outset, ongoing training is crucial to ensuring that knowledge and skills around these issues stay current. Integrate privacy and security training into day-to-day practice (including regular updates at staff meetings) and ensure that staff are aware of the resources and supports available, such as who to contact in the clinic should questions or concerns arise.
Free Privacy Training
The Alberta Medical Association has partnered with Alberta Health to offer free privacy training for physicians and staff working in community-based clinics. Learn more today!
The Scenario: Unauthorized records access by staff
A clinic employee on leave entered Dr. A’s clinic during office hours and accessed EMR records using another employee’s login credentials. A staff member later informed Dr. A that the employee accessed the medical records of family and friends and removed copies of files from the clinic.
The Outcome: Clinician found responsible
An investigation by the Office of the Information and Privacy Commissioner of Alberta (OIPC) found the clinic had policies and procedures to prevent such inappropriate access but none of the staff had been trained. No one in the clinic could locate the Privacy Impact Assessment (PIA) that had been completed.
This failure to train staff about clinic policies and procedures designed to safeguard patient privacy means the actions of untrained staff are the responsibility of the lead custodian.
Step 2: Gap Identification and Remediation
Regular assessments to identify risks for privacy breaches across your clinic will offer opportunities to remediate gaps in policies and procedures. For example, a walkthrough of the clinic may identify that the radio isn’t on, and therefore private conversations are audible to others. It may also become clear that the clean desk policy is not being followed, or that the door to the file room is unlocked. Identifying these gaps and clarifying current procedures (or implementing new ones) will ensure that patient privacy is safeguarded.
Safeguard Checklist
Download the Safeguard Checklist tool to help you with your clinic review.
Step 3: Use Secure Communication Methods
Inbound email is the number one way that clinics are exposed to ransomware, which is one of the reasons that email is not an appropriate tool for sending or receiving patient information.
Clinic staff must ensure that the methods of communication in use are secure and compliant, and that all staff and patients have been made privacy aware. Faxes gone astray, using non secure email, such as Gmail, and connecting to public Wi-Fi are three potential risks to your clinic.
Step 4: Security Measures
It is important that proven security measures are followed by all clinic staff to ensure the safety of patient information. Complying to rules around passwords and unique user logins, as well as lock and walk policies, will maintain the integrity of clinic data. Software updates must be routinely performed, as most updates contain security patches, and all storage and backups must be encrypted.
Step 5: Pick Your Partners Wisely
Maintaining patient privacy is not only the work of clinic staff, but it will also fall to any vendors that are working with the clinic. As a result, it is crucial to keep this in mind when choosing vendors, and ensuring that they take privacy seriously, and are willing to work with your compliance requirements. Equally important are the agreements themselves. They must be consistent and confidential, and limit liability. Having agreements professionally reviewed will support best practices.
The Scenario: Mistaken medical notification
During a patient list data transfer within a software system used by multiple clinics, a technician selected the wrong list of patients and triggered a notification welcoming them to a clinic they had no connection to. Dozens of patients complained and threatened legal action.
The Outcome: Vendor responsibility
The clinic from which the information was accidentally moved had a correct and up-to-date Information Manager Agreement (IMA) in-place with the vendor which clearly put responsibility for the action on the vendor. Without it, the clinic would have been held responsible and required to address the issue entirely on their own.
These five steps are a great way to create and maintain privacy aware clinics, as we ask all staff to protect patients’ information as if it were their own. Safeguarding patient privacy is in everyone’s best interest, as a necessary extension of the excellent care the clinicians provide to patients every day in our province.
