Part 2 of our series on Privacy and Data Security Best Practices.
If you do not have one already, this is a great time to think about developing a robust privacy and security training program for your clinic. Here are ten simple steps that will help you get started:
Before you get started: put someone in charge. Clinicians are responsible for the personal information in their control. To comply with PIPA, every health care practice should have a designated Privacy Officer. For medical clinics, Doctors of BC, CPSBC and OIPC recommends that this be a physician.
These steps were developed, complete with a complete Privacy Toolkit, in collaboration with the Office of the Information & Privacy Commissioner for BC (OIPC), and the College of Physicians and Surgeons of BC (CPSBC). Even though they were developed with physicians in mind, it is focused on private health clinics that are required to be compliant with PIPA. Therefore these guidelines also provide excellent advice for private dental clinics, chiropractors, and other healthcare professionals. In a nutshell:
- Be familiar with PIPA’s privacy principles. Doctors of BC’s Ten Principles for Protecting Information in Physician Practices is a nice, concise guide.
- Ask yourself, what personal information do you collect, and how do you manage it?
- Ask yourself, is how you are handling this information meeting PIPA obligations? Chances are this is not a problem. But you must be compliant.
- If there is a problem, do something about it! No matter how small or large the clinic, every staff member should be considered when developing your privacy and security program.
- Make sure your security measures adequate to handle the highly sensitive nature of your clinical records. Ask yourself, what would be the impact on your clinic if your patient information was compromised through a security breach.
- Make sure both staff and anyone contracted to handle personal information on behalf of your health care organization are aware of what they must do to protect privacy. Staff education is essential.
- Ask yourself, do your contracts adequately address privacy implications of having third parties, including IT support and EMR service providers, handle your patient data? Contracts should clearly indicate the purpose in which contractors are allowed to access and use personal information and forbid any other use or disclosure.
- Ask yourself, would you know what to do if a privacy complaint occurs? Or if you become aware of a security breach? If you are not sure, get advice.
Does all of this seem a bit daunting? Actually, developing a robust culture of privacy and security in your clinic isn’t difficult. Clinics have developed very effective privacy and security policies completely on their own. But the important thing is to get started, and get started now. Before a costly privacy or security incident occurs.