What a Clinic Needs to be Privacy Compliant

January 19, 2021

Privacy and Security Challenges

Privacy and security have always been important for physicians and our teams, but they aren’t necessarily top of mind for those of us practicing in a community medicine setting because of competing priorities. After the introduction of mandatory breach reporting by the Office of the Information and Privacy Commissioner of Alberta in 2018, many of us took the opportunity to learn about the general components of this work, including understanding the requirement for a Privacy Impact Assessment and basic security processes. Additionally, you might be aware that an up to date PIA is a required to participate in Community Information Integration and Central Patient Attachment Registry. On top of it all, the current pandemic has forced us to come up with new ways of providing access to patients and change our privacy practices to adapt to our new virtual world.

Increased Breaches

The recently released OIPC Annual Report highlights an increase in reports of privacy breaches and investigations. The report brings attention to the major types of breaches, including incidents when someone who is authorized to access health information does so without a legitimate business reason to do so and misdirected correspondence through fax or email. Other incidents involving unauthorized disclosure of health information included:

  • When health care providers discuss health information with other providers not involved in a patient’s care.
  • There is a lack of security controls leaving health information exposed online.
  • Health information is shared on social media.

PIA Challenges

Even though most clinic staff and providers understand the importance of patient privacy, the steps needed to develop reports, write and update PIAs, and to create an overall culture of privacy and security is a challenging undertaking for us and our teams.

We are divided by the need to complete these tasks and the demands of providing patient-centered care, and we often lean on the support of our office managers, privacy officers or costly consultants to initiate this work internally. An absence of accessible security training for office managers and privacy officers, and the lack of a one-stop location to obtain self-serve resources, compounds the issue.

Hiring a privacy consultant to complete a clinic PIA may address the current need for a PIA or process development, but it does not build long-term capacity within the office.

Clinic Privacy and Security Program

The attitude towards PIA work by physicians and clinic staff is generally negative – we know it can be a time-consuming and confusing process. The solution to decreasing the burden of having to submit a comprehensive and tedious PIA is to implement a Clinic Privacy and Security Program.

Thinking about the elements of a privacy program and implementing the necessary elements are important steps towards creating safe privacy environments in the clinic. Maintaining the privacy program and reviewing it periodically will make it much easier to complete our due diligence and document our practices in a PIA as required by the OIPC.

The elements of a strong clinic privacy and security programs include:

  • Creating or adapting privacy policies that cover collection, use and disclosure of health information for clinic staff. The policies need to be reviewed by staff regularly and updated as needed when there are changes in the clinic.
  • All members of the clinic, including physicians, staff, and other professionals providing care need to be aware of their specific roles and obligations with respect to security and privacy. This is best achieved by the provision of regular training for staff.
  • Safeguards must be in place in the clinic to protect privacy. These include technical, administrative and physical safeguards. These should be tested on a regular basis to ensure that they are being adhered to.
  • Strong data sharing processes including the completion of the required agreements that create safety for the transfer of information are also important to help clinics meet high security and privacy standards.
  • All the elements above should be articulated in the PIA and reviewed periodically. The PIA needs to be amended or submitted when there are administrative or technical change that affect health information.

SPaDS pyramid - Clinic Privacy & Security Program

Security, Privacy and Data Sharing (SPaDS) Project

Health care professional in our clinics have various levels of knowledge and ability to implement these suggestions. Building a culture of security and privacy within a clinic is time consuming and can be difficult to sustain without the support of practical tools and learning modules.

To address the need for a more comprehensive approach to privacy and security, the AMA/ACTT, launched the Security, Privacy and Data Sharing (SPaDS) initiative, in collaboration with Alberta Health. The project’s mandate is to build capacity and understanding of the importance of security and privacy in community physicians’ clinics.

This includes increasing an understanding of the urgency for updating PIAs, developing learning modules to build knowledge among clinic professionals depending on their privacy roles within the office, and building capacity for community clinic personnel to continue this work for years to come.

If you have any questions about starting a Clinic Privacy and Security Program, please visit the AMA website.

Alberta Medical Association Mission: Advocate for and support Alberta physicians. Strengthen their leadership in the provision of sustainable quality care.