Session Summary
Session Host: Lana DeBoon, Clinic Manager, AACM member
Guest Presenters: Ingrid Ruys, MAPP, CIAPP, HIPAA, Paralegal, ChPC
Recommended Resources:
- Session recording
- HIA - Office of the Information and Privacy Commissioner of Alberta
- Privacy Training | AMA
- Privacy Resources | AMA
Session Highlights & Themes
Session Objectives:
- Understanding the Health Statutes Amendment Act, 2024: Insights into the transition to a unified health care system comprising four sector-based provincial health agencies: primary care, acute care, continuing care, and Recovery Alberta (mental health and addiction).
- Implications of the New Protection of Privacy Act (PPA) and Access to Information Act (AIA): An overview of the legislation replacing the Freedom of Information and Protection of Privacy Act (FOIP), focusing on enhanced privacy protections, mandatory breach notifications, and updated access to information processes.
- Modernizing Privacy Practices: Strategies for implementing privacy management programs, conducting Privacy Impact Assessments (PIAs), and ensuring vendor compliance with Alberta's privacy standards.
- Responding to Commissioner Recommendations: Guidance on obligations and best practices when the Information and Privacy Commissioner provides recommendations following a PIA submission.
Key Takeaways
- Collect only what you need to do your job
- Identify any possible source of breaches – be vigilant
- Ensure that you are enabling all safeguards
- Encrypt – devices, electronic files
- Dispose of things in a proper manner
- If you see something, say something!
- Be sure that everyone knows what to do in the event of a breach (or incident) – majority of breaches are not malicious BUT ALL breaches should be reported to the clinic Privacy Officer
- Annual privacy training, privacy refresher
PRivacy Principles
- Least amount of information – only collect the minimum necessary information to perform your job
- Need to know basis – access information only if it’s relevant to your role
- Highest level of anonymity - ensure anonymity when releasing information to third parties
- Legal authority - verify you have the legal right to release information. This might require a court order, subpoena, or specific legal authority like the Health Information Act (HIA)
- Consent or notification - Inform individuals why their information is collected and obtain consent when necessary. For example, consent is required to release information to insurance companies or legal counsel
Key changes from the OIPC
- The OIPC will no longer issue acceptance decisions (accepted, conditionally accepted, or not accepted)
- PIAs will now be reviewed, and a closing letter with comments and recommendations will be issued instead
- If a PIA submission is incomplete or insufficient, the OIPC will close the file and notify the submitter, asking them to consider resubmission if necessary. However, the OIPC will not follow up with additional questions to avoid delays
- These changes aim to improve the efficiency of the review process and reduce backlog, potentially shortening the wait time from the current state of up to two years
Practical Tips for Clinic Managers
- What type of data will be shared with, collected by or accessed by the vendor?
- What is the vendor permitted to do with the data?
- Where will the vendor store the data?
- How long will the data be kept, and what are the protocols around deletion?
- What security controls does the vendor have in place?
- Does the vendor have good privacy-by-design so that default settings favor privacy?
- Does the vendor have an incident response and recovery plan?
- Is there robust, publicly available privacy documentation you can review? (Ask about their PIA amendment template)
- Does the vendor have verifiable privacy certifications or trust marks?
- Does a quick online search reveal credible concerns (e.g., recent incidents) about the vendor’s privacy or security practices?
- Is anything about the vendor’s platform or service overly intrusive or “creepy”?
- Does the vendor have privacy professionals on staff?
- Train (educate) - Sign everyone up for privacy training (on commencement and annually)
- Policies - Ensure that everyone knows where Mosaic privacy policies and procedures and kept and are given time to review them
- Post - Post regular privacy updates on your staff bulletin board
- Review – set aside 5 minutes at each staff/team meeting – to review new privacy matters
- Routines - Create routines that everyone follows, i.e., a clean desk, lock and walk, staying informed
- Own - All staff should treat privacy (patient, employee) as if it was your own information
- APT - Remind everyone of the safeguards - APT (Administrative, Physical, Technical) - and make it everyone’s job to make sure these safeguards are in place
- Policy and Procedure Review: Update privacy policies every two years to reflect regulatory changes and the clinic's evolving needs, involving the team to ensure practicality
- Privacy Training: Conduct ongoing training, including onboarding and annual refreshers, to maintain a privacy-conscious culture and address new risks like cybersecurity threats
- Privacy Impact Assessments (PIAs): Perform PIAs when introducing new services or changing processes involving patient data to proactively identify and mitigate privacy risks
- Supporting Medical Professionals: Provide privacy guidance, training, and policy updates to ensure medical professionals handle patient data responsibly
- Third-Party Management: Evaluate external partners through risk assessments to ensure they meet privacy standards before sharing patient data, minimizing outsourcing risks.
Developed by
