10 Practical Steps to Help Clinicians Comply with Privacy Legislation

Part 2 of our series on Privacy and Data Security Best Practices.

If you do not have one already, this is a great time to think about developing a robust privacy and security training program for your clinic.  Here are ten simple steps that will help you get started:

Before you get started: put someone in charge.  Clinicians are responsible for the personal information in their control. To comply with PIPA, every health care practice should have a designated Privacy Officer.  For medical clinics, Doctors of BC, CPSBC and OIPC recommends that this be a physician.

What’s next?  A great starting point is Doctors of BC‘s “Ten Steps to Help Physicians Comply with PIPA“, the Personal Information Protection Act for British Columbia.

These steps were developed, complete with a complete Privacy Toolkit, in collaboration with the Office of the Information & Privacy Commissioner for BC (OIPC), and the College of Physicians and Surgeons of BC (CPSBC).  Even though they were developed with physicians in mind, it is focused on private health clinics that are required to be compliant with PIPA. Therefore these guidelines also provide excellent advice for private dental clinics, chiropractors, and other healthcare professionals.  In a nutshell:

  1. Be familiar with PIPA’s privacy principles. Doctors of BC’s Ten Principles for Protecting Information in Physician Practices is a nice, concise guide.
  2. Ask yourself, what personal information do you collect, and how do you manage it?  
  3. Ask yourself, is how you are handling this information meeting PIPA obligations? Chances are this is not a problem. But you must be compliant.
  4. If there is a problem, do something about it!  No matter how small or large the clinic, every staff member should be considered when developing your privacy and security program.
  5. Do you have a Privacy Policy?  Do patients and staff know about it?
  6. Make sure your security measures adequate to handle the highly sensitive nature of your clinical records.  Ask yourself, what would be the impact on your clinic if your patient information was compromised through a security breach.
  7. Make sure both staff and anyone contracted to handle personal information on behalf of your health care organization are aware of what they must do to protect privacy.  Staff education is essential.
  8. Have forms and communication materials in place to inform patients about your clinic’s privacy policy and information practices. The BCMA has sample forms that you can adapt for your clinic, located in the Privacy Toolkit, found here.
  9. Ask yourself, do your contracts adequately address privacy implications of having third parties, including IT support and EMR service providers, handle your patient data?  Contracts should clearly indicate the purpose in which contractors are allowed to access and use personal information and forbid any other use or disclosure.
  10. Ask yourself, would you know what to do if a privacy complaint occurs?  Or if you become aware of a security breach?  If you are not sure, get advice.

 

Does all of this seem a bit daunting? Actually, developing a robust culture of privacy and security in your clinic isn’t difficult. Clinics have developed very effective privacy and security policies completely on their own. But the important thing is to get started, and get started now. Before a costly privacy or security incident occurs.

If you need help, contact us.