Follow Kate Dewhirst Health Law on Feedspot

Continue with Google
Continue with Facebook


Yup – you do!

I have heard from a lot of healthcare teams recently that they have been struggling with vacation, sick days, leaves of absence and unexpected departures from the Privacy Office.  When you rely on one person in your organization to deal with all the privacy issues, you can feel vulnerable when that person is too busy, off or leaves for good.

Here are my 3 tips to managing Privacy Officer back-up:

Tip #1: Have a few people (or at least two people – Privacy Officer and a spare) within the organization who understand the role and responsibilities of a Privacy Officer so you can bridge short and long term absences of your Privacy Officer.  Some health teams I know have a Privacy Committee that address serious privacy breaches. A member of that Committee could be tapped to step in for a Privacy Officer’s vacation or leave of absence.

Tip #2: Document the key components of your privacy compliance program and have a paper or electronic folder explaining how the program runs and where the files, to-do lists, projects, and templates can be found. There is nothing worse for an organization than having an entire “Program” only operating in one staff member’s mind, memory and actions.  While your Privacy Officer may be top notch, your organization is at risk if that person is the only person who knows anything about your organization’s privacy practices, compliance and up-coming obligations.  Every Privacy Program (even for small teams where “Program” seems like a laughable notion) needs to be documented for succession planning and back-up purposes in addition to complying with PHIPA and expectations of the Information and Privacy Commissioner.

Tip #3: Use external resources if needed.  You need to know who to ask for help when your Privacy Officer is away, such as a privacy lawyer or consultant.

Succession planning and back-up planning are essential components to your privacy compliance. Don’t forget to plan for positive absences such as vacations and promotions so that you can also respond to unexpected negative absences such as sickness, long-term disability or departures.

Health Sector Privacy Officer training for your SPARE!

My next Privacy Officer course will be on October 30th.  For more information and to register, click here.  This course is for actual Privacy Officers, but is also perfect for Privacy Officers-in-training or the “spare” Privacy Officer for your healthcare organization.  In this course I will train you how to document your privacy program so that you are set up for compliance and succession planning.

Here are some other resources you might be interested in:

  1. Attend one of my free Ask Me Anything about Health Privacy webinars – the first Wednesday of every month at 10am EDT/EST – if you missed any, they are also available for replay for purchase
  2. Join me for my next Advanced Privacy Officer training on December 10 – for practicing your skills.
  3. If you need advice on how to manage a privacy breach, complaint or query – call me! That’s what I do!
  4. Invite me to do your team privacy training or assist you with privacy policies
  5. Want to read about all the PHIPA privacy decisions of the IPC? Click here to get my free up-to-date summary of all the IPC’s PHIPA Decisions.

Hope to see you soon!

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

I recently witnessed a dispute within my faith community.

One congregant was accused of violent and highly inappropriate activity.

The synagogue struggled to respond.

Things escalated. People took sides. Positions became entrenched. There was a mixture of genuine concern, mythology, innuendo, hyperbole, valid issues to be addressed and unsubstantiated issues that needed to be cleared up or dismissed.   It was divisive and extremely difficult for the community to manage.

The lack of process left the congregation and its leaders in limbo and confused, vulnerable and questioning their desire to continue in community.

Have you witnessed a bad situation where the organization’s response or lack of response made things worse?

As a lawyer who has worked in healthcare for 20 years, I have responded to hundreds of disputes between patients or caregivers and staff.

I deal with a lot of people behaving badly. Sometimes the person behaving badly is the patient or caregiver. Sometimes its the health care provider. Sometimes it is the organization. Sometimes its a combination of everyone.

Here are the key steps your organization should take to respond to bad behaviour and avoid making matters worse:

Step #1: Have a written policy.

It is vital for any healthcare organization to have a written document the leaders can turn to in times of turmoil and dispute.

If you have a small healthcare team, I can anticipate your response to this … “we’re too small”, “we love our informal leadership style”, “we’re ill equipped to develop something”, “we don’t have the resources to hire someone to write a policy”, “policy? What policy?”

Every healthcare organization of every size needs a policy.  It can be simple.  But you have to have something.  It helps you when there is a challenging situation if you can point to a process that demonstrates objectivity, due process and fairness.  It helps you keep your commitments to your mission, vision and values. Having a process in advance removes the risk of allegations of discrimination and bias which erode trust. Process fairness upholds the dignity of a community.

Step #2: Take decisive action in an emergency. 

You have the authority to address urgent security and values issues immediately.  Leaders must have the authority to remove someone from the premises in the moment to address an urgent need.  Once that happens, the complaints management policy needs to kick in. Early action does not have to be “perfect”. You can make mistakes. When in doubt, remember that safety trumps everything else.

Step #3: Be principled. 

Complaints management needs to reflect a few key principles: fairness and due process, safety, upholding the mission, vision and values of the organization, objectivity, transparency, consistency, timeliness, confidentiality and efficiency of operations.

Step #4:  When a problem arises – address it.

It’s not fair to an individual and the others they are affecting to ignore their low lying yet consistently inappropriate behaviour.

Such behaviour requires early intervention and careful documentation including and especially to the individual – who can misunderstand the severity of a situation when they are being casually told to stop.

Without tough conversations and escalating formality of documentation early on, seemingly benign situations have a way of escalating into situations where the only option is severance of relationship. That is deeply divisive and damaging in healthcare settings. It’s unfortunate when such situations could have been prevented by setting clear expectations, communicating standards and documenting those efforts.

Step #5: Informal minor complaints don’t need a lot of fanfare.

Informal complaints should be addressed informally and on an ad hoc basis.  Regular everyday queries about poor service and interpersonal slights may be addressed informally by the individuals themselves and as necessary with leaders without triggering the need for a formal process.

Frivolous or vexatious complaints should be dismissed. If a complainant’s allegations do not rise to a need to be addressed or have been raised without merit or with intent to derail operations or are blatantly false – you should say so. If the allegations even if proven to be true would not require action by the organization – then dismiss the complaint. There should be an off ramp option to close frivolous or vexatious complaints early. Do not over promise that there will always be an investigation for example because there doesn’t always need to be something.

Step #6: Be serious about serious allegations.

Certain types of complaints can never be addressed informally.  Serious allegations should be formalized. These types of allegations include sexual misconduct, harassment, criminal conduct, theft, violence, and abuse. If anyone raises such allegations  they must be followed up and addressed. Such allegations can never be dismissed out of hand or ignored or delayed in action.

Serious allegations must be recorded in writing.  In most situations it would be the individual who writes their allegations themselves.  Otherwise, they should be summarized back to the complainant in writing for confirmation.

Step #7: Clarify roles.

It needs to be clear who has investigative powers and decision-making authority. Conflicts of interest need to be identified early and managed appropriately.  Only those tasked with responsibility should be involved and role delineation needs to be carefully maintained.

Step #8:  Keep confidences.

It needs to be clear to all participants and leaders what the rules of confidentiality are in the complaints process. You should discourage unsanctioned investigations and side conversations.

Step #9: Follow due process and fairness to people accused of things.

Accused individuals need protections too. In most situations they have a right to know the complaint against them. They have a right to respond and share their perspective. They may have a right to provide evidence and ask you to interview people they identify as supportive of their position.

Step #10:  Investigate.

The word “investigations” sounds intimidating – but they don’t have to be. However, there has to be some rigour to the collection of relevant information or evidence. All the relevant information needs to be collected. This may be simple or complex depending on the issue – it can take minutes or hours or days or weeks.

Step #11: Act proportionately.

Decisions need to be fair and consequences have to be consistently applied. You should avoid deciding one way when the same facts relate to a pleasant nice person and another way for a pain in the neck person. Consistency removes the risk of bias and discrimination.

Sometimes there is no response required because the allegations are unfounded.

If the serious allegations are found to be true there needs to be a response.  That response needs to be proportionate.

If the behaviour was not that serious – the result should not be serious.   Banning someone is a super humungous deal.  Sometimes that is the only reasonable result.  But there is a range of response that should be considered if the offending behaviour does not rise to the most serious.

As part of a proportionate response you may have to consider the length of time of the consequences. Most action warrants a temporary response with an opportunity for return. A permanent decision with no opportunity for restitution and return would be applied in only the most serious of situations of public safety.

Step #12: Sometimes, you have to ban someone.

If you ban someone you have to follow through.  You need resources to enforce your decision.  Failure to enforce your decision leaves the organization, staff, co-patients and the community at increased risk.   You cannot identify someone as a serious risk of harm sufficiently to warrant a permanent ban and then not enforce that decision. As necessary, involve security or the police. If you fail to enforce a ban, something terrible could happen. You also want to ensure your staff understand the rules so they can enforce them and have the means to do so.

Step #13: Communicate your decision.

Your decision must be communicated to the accused and in some cases the complainant.  At the very least the complainant deserves information that the complaint has been addressed and in some cases what you are going to do about it.

Clarity of response and action required by the offender must be communicated – almost always in writing. It should be clear whether the decision will be reviewed in the future and when.

Next Steps:

Being prepared for conflict is a requirement for all healthcare leaders.

If you would like some help preparing your team to manage conflict and de-escalate disputes between patients, caregivers and staff, contact me for more information on my team training.

Here are some of the testimonials from my recent training sessions:

Kate captivates the room within minutes. She knows the audience and is keen to support everyone in the room. She energizes the learning environment and she knows what is relevant and how to deliver a difficult point with professional wit! She is a great combination fun personality and a brilliant mind !

I highly recommend Kate’s “Managing Conflict” workshop – she is incredibly engaging and covered the topic very well! Laura Hornby RN

Kate is AWESOME! Such an excellent speaker. Very engaging, knowledgeable and personable. By far, my FAVOURITE facilitator in 30 years in the medical field. Rhonda Ruppert, Site Coordinator

This was one of the best training sessions I have been to. Kate was a great presenter . she kept my focus all day holding my attention all day is a great feat. Kathy McKee

The most important thing I learned was having some ‘go-to’ phrases, reviewing how to de-escalate situations, seeing different perspectives.

Being reminded to use my internal dialogue, “I can do this!” “remember to take a breath” was helpful.

I really liked finding our anger patterns (What can we do to head off problems?)

The notion of putting oneself in a variety of persons’ perspectives (not just another person’s shoes, but also their child, the other patients in the room, the doctor, etc.”) – that was the most important thing I learned.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

A patient wants a copy of their health record.

You give them your organization’s form to fill out before you give them a copy.

What are you allowed to ask on that form? If your questions are not all answered, are you allowed to  send back the access request as “incomplete”?

That’s the subject of a new decision of the Information and Privacy Commissioner of Ontario (IPC) – Decision 93.

In Decision 93, a patient of a hospital asked for a copy of their record.  The patient complained to the IPC about the fees charged for processing the request. The fee dispute was settled between the hospital and the patient.

What’s fascinating about this decision, is that the IPC goes on to comment on the hospital’s process of rejecting “incomplete” record requests.

The hospital considered patient requests for copies of their health records to be “incomplete” if the request form was not:

  1. Witnessed
  2. Dated within the last 3 months
  3. Directed to the hospital
  4. Inclusive of what information the individual required (including relevant dates of records)
  5. Inclusive of the purpose for the request
  6. Inclusive of the patient’s name, address, signature, date of birth, health care number and other identifying information
  7. Inclusive of the substitute decision-maker’s name and proof of legal authority (if the request was made by the patient’s substitute decision-maker)

The IPC stated that it was inappropriate for the hospital to reject access requests as incomplete on 3 of those elements:

  1. Witnessed: access requests are not required by law to be witnessed by another person
  2. Dated within the last 3 months: the hospital had not explained why it took the position that every access request signed beyond 3 months prior was automatically suspicious and therefore rejected
  3. Inclusive of the purpose for the request: individuals are not required to explain why they want access to their own records – while healthcare organizations are allowed to ask for the purpose (in order to help understand the request for access), they are not allowed to refuse to process the request if a reason for access is not shared

What questions do your access forms ask?

How do you process access requests?

Do you ever send the forms back as “incomplete”?  If yes, read Decision 93 to better understand your obligations to ensure patients have proper access to their own information.

Want to read about PHIPA privacy decisions of the IPC? Click here to get my free up-to-date Summary of all the IPC’s PHIPA Decisions.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

In healthcare we often repeat that “hand hygiene saves lives” – well so too does digital hygiene.

What is digital hygiene?

Digital hygiene is a term of art used in the technology and cyber security field to describe positive practices to protect digital information from loss, theft, and unauthorized use, disclosure, modification or destruction.

How does digital hygiene save lives?

If and when a healthcare organization is hit by ransomware, cyber attack, or physical hacker and their electronic information systems are compromised, the organization may have to stop providing health services for a period of time.  This can be devastating for emergency health services and negatively impact elective health procedures. Having no access to health records or only access to incorrect information can compromise health services.

Good digital hygiene includes recommendations to:

  • Use different passwords personally and professionally
  • Make back-up copies of files
  • Keep your operating system up-to-date
  • Avoid inserting unknown mobile devices into networked computers (like unknown USB keys)
  • Standardize email subject lines and signatures
  • Manage and protect passwords

The Information and Privacy Commissioner of Ontario (IPC) has just contributed new guidelines to the digital hygiene conversation, “Protect Against Phishing“.  These guidelines released today address how to:

  1. recognize a phishing message
  2. protect against phishing attacks
  3. respond to a cyber attack

According to TechTarget Search Security: “Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email or other communication channels. The attacker uses phishing emails to distribute malicious links or attachments that can perform a variety of functions, including the extraction of login credentials or account information from victims.”

Reviewing the IPC’s new guidelines is essential to the role of all Privacy Officers in healthcare.

Next Steps:

There are 4 ways to work with me when you are ready:

  1. Attend one of my free Ask Me Anything about Health Privacy webinars – the first Wednesday of every month at 10am EDT/EST
  2. Join me for my next Health Privacy Officer training and become even more confident in your role.
  3. Join me for my next Advanced Privacy Officer training – for practicing your skills.
  4. Invite me to do your team privacy training or assist you with privacy policies or privacy breach management

Want to read about PHIPA privacy decisions of the IPC? Click here to get my free up-to-date Summary of all the IPC’s PHIPA Decisions.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

The right of an individual to access his or her records is essential to the exercise of other statutory and common law rights, including the right of an individual to determine for himself or herself what shall or shall not be done with his or her own body, the right of an individual to “informational self-determination” and the right of an individual to require the correction or amendment of personal health information about themselves. It is also vital in ensuring continuity of care, for example, where an individual has decided to seek health care from another health care provider.”

Order HO-009, (then) Assistant Commissioner Brian Beamish

One of the key privacy messages every healthcare organization needs to know is a patient has a right to access their own information.

In Ontario, the Personal Health Information Protection Act, 2004 gives individuals the right to access their records. The law reflects the rights established in a court case back in 1992. So this is not new!

McInerney v. McDonald – Supreme Court of Canada

The right of access has a long and rich history.  The most important case on the topic is the case of McInerney v. McDonald which was decided in 1992 by the Supreme Court of Canada.

A patient made a request to her doctor for copies of the contents of her complete medical file.

The doctor delivered copies of all notes, memoranda and reports she had prepared herself but refused to produce copies of consultants’ reports and records she had received from other physicians who had previously treated the patient, stating that they were the property of those physicians and that it would be unethical for her to release them.

The doctor suggested to her patient that she contact the other physicians for release of their records.

But the court said …

  • In the absence of legislation, a patient is entitled, upon request, to examine and copy all information in her medical records which the physician considered in administering advice or treatment, including records prepared by other doctors that the physician may have received.
  • Access does not extend to information arising outside the doctor?patient relationship. The patient is not entitled to the records themselves.  The physical medical records of the patient belong to the physician.
  • Information about oneself revealed to a doctor acting in a professional capacity remains, in a fundamental sense, one’s own.
  • While the doctor is the owner of the actual record, the information is held in a fashion somewhat akin to a trust and is to be used by the physician for the benefit of the patient.
  • The physician?patient relationship is fiduciary in nature and certain duties arise from that special relationship of trust and confidence.
  • These include the duties of the doctor to act with utmost good faith and loyalty, to hold information received from or about a patient in confidence, and to make proper disclosure of information to the patient.
  • The doctor has an obligation to grant access to the information used in administering treatment.
  • This fiduciary duty is ultimately grounded in the nature of the patient’s interest in the medical records.
  • The confiding of the information to the physician for medical purposes gives rise to an expectation that the patient’s interest in and control of the information will continue.
  • The trust?like “beneficial interest” of the patient in the information indicates that, as a general rule, she should have a right of access to the information and that the physician should have a corresponding obligation to provide it.
  • The patient’s interest being in the information, it follows that the interest continues when that information is conveyed to another doctor who then becomes subject to the duty to afford the patient access to that information.
  • Further, since the doctor has a duty to act with utmost good faith and loyalty, it is also important that the patient have access to the records to ensure the proper functioning of the doctor?patient relationship and to protect the well?being of the patient.
  • Disclosure to the patient serves to reinforce the patient’s faith in her treatment and to enhance the trust inherent in the doctor-patient relationship.  As well, the duty of confidentiality that arises from the doctor?patient relationship is meant to encourage disclosure of information and communication between doctor and patient.  The trust reposed in the physician by the patient mandates that the flow of information operate both ways.
  • The patient’s general right of access to medical records is not absolute.  If the physician reasonably believes it is not in the patient’s best interests to inspect the medical records, the physician may consider it necessary to deny access to the information.
  • Considering the equitable base of the patient’s entitlement, when a physician refuses a request for access, the patient may apply to the court for protection against an improper exercise of the physician’s discretion.
  • The court will then exercise its superintending jurisdiction and may order access to the records in whole or in part.
  • The onus lies on the physician to justify a denial of access. Patients should have access to their medical records in all but a small number of circumstances.
  • In the ordinary case, these records should be disclosed upon the patient’s request unless there is a significant likelihood of a substantial adverse effect on her physical, mental or emotional health or harm to a third party.

The right of access to information is a founding principle of privacy.

Want to read about PHIPA privacy decisions of the IPC? Click here to get my free up-to-date Summary of all the IPC’s PHIPA Decisions.

There are 4 ways to work with me when you are ready:

  1. Attend one of my free Ask Me Anything about Health Privacy webinars – the first Wednesday of every month at 10am EDT/EST
  2. Join me for my next Health Privacy Officer training and become even more confident in your role.
  3. Join me for my next Advanced Privacy Officer training – for practicing your skills.
  4. Invite me to do your team privacy training or assist you with privacy policies or privacy breach management
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

While we live in a highly digitized world, we still rely A LOT on paper in healthcare. As we move towards even more integrated care, the reliance on and existence of paper health records will be a challenge to overcome.

From a privacy perspective, paper health records can be tricky to protect from loss, theft, unauthorized use and disclosure. The piece of paper offers challenges its electronic copy does not face.


Paper health records are vulnerable to loss in a way electronic records are not.  Floods and fires can decimate paper records without backup. If a paper record is misfiled, it may be lost forever, buried in another chart in a drawer with hundreds or thousands of other charts without the benefit of the Ctrl F  functionality leaving you with the only option of manual searching.

Shredding vs. Recycling

There are a number of privacy breach cases rooted in mistaken recycling of paper health records that were meant to be shredded. Confidential shredding bins are essential equipment for healthcare teams.  Still privacy breaches abound through human error. Leaving the key in the confidential shredding bin to make it easier to fit more paper leaves the bin vulnerable to interference.  Leaving overflow bags of shredding next to the confidential shredding bin can mean they are mistaken for recycling. Using “blue bins” as interim holding bins for what should be shredded can prove dangerous when cleaners mistake the blue shredding bin for a blue recycling bin.


There is a JAMA study showing Canadian hospitals consistently found low to high sensitivity paper records with identifiable health information thrown into their garbage cans.

Inadvertent Viewing

Avert your eyes! Ever notice that bored patients or their family members will read ANYTHING available when they have to wait to be seen. They even read upside down!  When people are bored they will look for things to do.  Paper records of other patients make for fascinating reading.  Keeping a clean desk without paper records viewable to passersby can be challenging to maintain.

What’s a Privacy Officer to do?

Most healthcare teams deal with paper health records to some extent.  Privacy Officers should not forget that paper likely exists in your team and make sure to include tips on how to protect paper records in your privacy training and reminders.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Your privacy policy likely requires all staff members to “report any privacy breach” to the Privacy Officer.

But do your team members know what a privacy breach looks like or sounds like?  They can’t report if they don’t know what it means.

Here are some examples you can include in your training or policies to bring the meaning of “privacy breach” to life:

  • The electronic systems are hacked and client information is made public
  • An unencrypted laptop (or USB key, back-up hard drive or other portable device) with client information saved on the hard drive is stolen
  • Client information is recycled or thrown in the garbage and not shredded
  • Client information is given to the media without an individual’s consent
  • Client takes a picture of other clients’ information
  • A team member sends an Excel spreadsheet with client information to a help desk at a bank (autofill in email auto-corrected to the wrong email address)
  • A team member takes a picture or makes an audio or video recording of a client without consent
  • A team member looks at and makes a copy of an ex-spouse’s client record to use in divorce proceedings
  • A team member posts client information to personal social media account without consent
  • A student looks at client information on a self-initiated education project without being assigned to work with that information and without specific authorization for an approved educational exercise
  • A team member uses client-identifiable data to do unauthorized research or program planning
  • A team member uses another team member’s password to do work as a workaround
  • A team member is a fan of a celebrity client and looks up information for the celebrity’s address or health conditions
  • A team member makes a copy of an ex-spouse’s health record to use against them
  • Team members discuss clients in hallways and lunchrooms and other clients overhear (even colleagues overhear)
  • Team members release information to another health care provider when a client has said they don’t want that provider to know
  • Team members release information to a spouse or parent or child when the client doesn’t want that family member to know

BONUS TIP: Ask team members to report “complaints”, “incidents” and “potential” breaches – not just actual breaches.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Why is privacy important?

Because it is essential for building trust.

Trust pops up time and time again in privacy breach stories.

In the 2017 sentencing hearing for a social worker in an Ontario family health team who was successfully prosecuted for looking at the health records of five clients without authorization (she had accessed many other clients’ health records without authorization but was prosecuted for five), one of the victims told her story and explained the privacy breach as a violation of trust:

There are no words to describe how I feel today. … you betrayed our trust. Trust in a system to help us understand our grief, trust that our story is our own, and trust that as a mother, I promised my children a safe place for their emotions. … You knew my family and you knew we had a story. You took the privacy of four people, two of those being children, and you decided that your curiosity was more important, and I hope today you are held accountable for that.

In the reasons for the sentence of a personal fine of $25,000 to the social worker, Justice Hampson stated:

The various victims have provided victim impact statements which are quite telling in terms of the sense of violation, the loss of trust, the loss of faith in their own health care community, and the utter disrespect that <name removed> displayed towards these individuals. One individual described being vulnerable. There is a fear of misuse of the information, a fear for future treatment. There is a sense of betrayal, a sense of embarrassment, a sense of being exposed.  Numbness and shock from others. Overall, the victim impact statements reveal a lack of trust and a sense of reluctance to share information with future health care providers.

I believe this is a truly significant factor, given that we all must believe that when we go to the doctor for our physical illness and other mental health illnesses, that we will be able to trust our own health care practitioners and their team and that what we tell them will be respected and held in confidence so we receive the treatment and care we deserve.

A trustworthy healthcare system requires robust privacy practices. Privacy Officers are trust builders.

Privacy Officers cultivate the four fundamental elements of trust in a health care environment: competence, reliability, care, and communication.

Competence:   The environment is safe. The team have sufficient skills and capability to provide the services.

Reliability: The team does what they say they will do.  The experience is consistent.

Care: The team has the best interests of patients at heart. The team and patient share the same goals and values. The patient is a valued participant.

Communication: The team operates truthfully and honestly. Information is proactively available. The rules are transparent, understandable and accessible. Questions are welcomed and answered.

Not everyone sees the role of Privacy Officer in a positive light. Privacy Officers are sometimes seen as humourless enforcers or wet blankets telling everyone else what they can’t do.

As a Privacy Officer, how do you avoid terrifying your team into privacy paralysis or constantly sounding like a wet blanket of what “can’t be done”?

The answer is culture.

Privacy compliance is of course a big part of what a Privacy Officer does.  But, a Privacy Officer is always in search of what Chris Pahl, a Privacy Compliance Program Leader at Southern California Edison, calls a “compelling why”:

Training teaches the “what” and the “how” of privacy, but adding to those a compelling “why” is what begins to create culture. Beyond explaining how principles translate into specific requirements and obligations, it is important to help individuals understand why privacy matters at all.

Privacy Officers must be able to identify the privacy rules and describe the steps to take to achieve compliance. And, to avoid being ignored by team members or viewed as a barrier to care, you must also be able to tap in and explain:

  • WHY privacy is important
  • WHY patients care about privacy
  • WHY your team members should look for ways to be more privacy respectful
  • WHY privacy is a way of demonstrating organizational commitment to your mission, vision and values

Think of your role in terms of building trust. That will help you find your compelling why.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 


Trust is the foundation of healthcare.

Without trust, patients delay receiving care.

Without trust, patients do not share the truth that helps clinicians uncover what is actually happening.

Where trust is compromised, patients, their families and caregivers feel vulnerable and unsafe. They go elsewhere or nowhere to seek help.

I’ve been studying “trust” in business, healthcare and interpersonal relationships, and there seem to be 4 key elements of trustworthy teams:

  1. Competence:  The team have sufficient skills and capability to provide the services. The environment is safe.
  2. Reliability: The team does what they say they will do.  The experience is consistent.
  3. Care: The team has the best interests of clients at heart. The team and client share the same goals and values. The client is a valued participant in the service.
  4. Communication: The team operates truthfully and honestly. Information is proactively available. The rules are transparent, understandable and accessible. Questions are welcomed and answered.

I’m an avid watcher of Dr. Pimple Popper. Sure, its a show about graphic surgical skin procedures. But mostly, it is a masterclass in trust building. Dr. Sandra Lee and her team create a trust environment. If you watch that show, you will hear and witness the patient experience and you will often hear the word or a reference to “trust”.  People have put off addressing painful and unsightly conditions because they are fearful of the healthcare system. They come to Dr. Lee because they trust her.

Are you and your healthcare organization trustworthy?

ACTION: Take the 4 key elements of trust and ask your team “are we trustworthy”?  What elements could we strengthen to support the experience patients, families and caregivers have when working with us?  

BONUS POINTS: Ask your patient council and family council (representatives) the same questions. 

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

You and your community have signed up to be a Wave 1 Ontario Health Team.

Does it feel like you are on a roller coaster?

You signed up. You’ve strapped yourself into the seat.

You’ve turned the first corner and you hear the “kk-chug”. You start the steep, jerky climb.

up. up. up.

You are doing the hard work now. Filling in forms.  Identifying your “readiness”.  Assessing cohesiveness in your community.  Attending meetings with 40 other community leaders. Vocalizing your team’s strengths. Sharing the points of vulnerability in transitions of care.

up. up. up.

But you are also starting to think… Huh.

What is going to happen to our patients? Are they going to fall through the cracks? is this going to result in actual improvements for them?

up. up. up.

What about my team?  Is our model understood by the other partners? Are they going to see what we do as valuable?

up. up. up.

Am I going to have a job at the end of this? Have I just signed up to make myself redundant?

whoa. we are getting higher now.

The healthcare system is undergoing a massive reorganization.

Just like the first time on a roller coaster, it’s hard to know whether the ride is going to be exhilarating or terrifying.

One of the issues that is going to arise for you in this journey to becoming an OHT is privacy.

Here are some privacy considerations you and your OHT community partners need to discuss:

  1. Will we need to (or want to) apply to become a single health information custodian under the Personal Health Information Protection Act?
  2. What electronic health information systems are we all using? do those integrate? can we using Connecting Ontario viewers to assist us with health information integration?
  3. What data sharing and eHR access agreements do we need in the short term and long term?
  4. What opportunities arise for us to integrate privacy policies and training?
  5. What special privacy services do we not want to lose?
  6. If the OHT is subject to freedom of information legislation, FIPPA, what does that mean for the partners who have not been subject to it to date?

As you are inching your way up up up the Wave 1 OHT roller coaster, I’d love to be involved in your strategy for how to make privacy an enabler of health services and not an impediment to integration.

I offer:

  1. Strategy meetings with community partners to understand privacy readiness, worries and opportunities
  2. Privacy training across the healthcare system – I can speak to what privacy sounds like in primary care, hospitals, palliative care, long-term care, mental health centres, public health, rehabilitation, children’s services, elder care, municipal services, supportive housing, dental, private practice, community care, teaching environments, and home care.  I can help your teams understand the other services your OHT will offer in the integrated entity
  3. Freedom of information training – those of you new to freedom of information need to learn about public rights of access to your records, proactive disclosure opportunities, minute-taking, email etiquette, record retention, search parameters
  4. Privacy policy integration
  5. A Privacy Officer community of more than 300 participants across the province and across the healthcare service spectrum who ask questions of me and each other in a private forum

I know this is a time of uncertainty.

We can do this.  We are the trust builders.

Together we will learn how to take this uncertainty and improve the health system for our patients, their caregivers, our teams and our communities.

Join me for my free live Ask Me Anything about Health Privacy webinars on the first Wednesday of every month from 10-11am.  In June I’m going to talk about privacy in transition to the new healthcare system. In May 2019 I talked about the topic of kids and privacy.  If you missed it, you can now purchase the replay where you can watch the video, download the transcript and the slides. Go to the Kate Dewhirst Shop for more information and to gain access.  

Read for later

Articles marked as Favorite are saved for later viewing.
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview