Originally posted March 23, 2020
Are you curious about Canadian Privacy and Security? As a group of passionate Therapists, we understand that these are crazy times and there are so many questions around privacy and compliance. While this is not legal advice we wanted to share a bit of what we know as you quickly pivot to keep your client relationships warm and your clinics running with a new service delivery model. #weareallinthistogether
Disclaimer: This document is not a substitute for obtaining your own legal advice on telepractice and privacy mandated under the applicable provincial and federal legislation. Information collected from company websites, review of Canadian privacy and security laws and resources received from the Speech and Hearing conference, Oct. 2019.
The answers around privacy depend on if you work as a private entity or as a public body.
FOIPPA states that personal information collected by a public body must be stored in Canada. When a Private practitioner or Clinic has a contract with the provincial government, acting as an extension of the public body, they are required to comply with FOIPPA. They are the recipient of the personal information from the provincial government (public body). In BC this would include WorkSafe BC, ICBC, etc. This law applies because the government is responsible for what happens to that client data.
PIPA (BC/Alberta), PHIPA (Ontario) and PIPEDA (Canada’s federal law) require secure and encrypted handling of personal information, with common sense rules for collection and disclosure of this information. These laws do not require that the data is stored in Canada. When a private practitioner or clinic receives the health information directly from the client, there is no government mandate to comply with FOIPPA. What is required is client consent for where and how their client data is being stored.
Q: Does Therabyte comply with Canadian Privacy laws?
A: Yes, Therabyte complies with all Canadian Privacy and security laws, using bank level security. We invite you to review our privacy policy and terms of service for more detailed information.
Q: Where does Therabyte store data?
A: We use Canadian based servers.
Q: Do I need written consent for the collection of personal health information?
A: Yes. PIPEDA, Canada’s privacy law requires that any business receive consent prior to collecting and storing personal health information. It is required that businesses make a reasonable effort to help individual clients understand how, why and where their personal information will be collected and stored. It is advised that consent is contained as early as possibly in the practitioner client interaction. Consent is also required for communication between team members not included in your company. Using a secure website with online intake and consent forms supports the ease of collecting this information and mitigating the risks of security a breach. (Therabyte users receive a secure customizable clinic landing page that integrates consent for release of personal information with the online intake forms).
Q: How can I protect the data that I am collecting through on line forms?
A: When a website URL starts with https, this indicates the website information is encrypted. If these packets of data are intercepted, they cannot be read or tampered with. If your website does not have this, contact your hosting company to upgrade your security. This is required for the safe handling of personal information in the case that you are having clients complete online intake forms. (Therabyte users receive a secure customizable clinic landing page with integrated online intake forms).
Q: What are the risks associated with using an IT service provider that is not claiming compliance with the Canadian privacy and security laws?
A: They are not required to inform you if there is a security breach. HIPAA does not require notifying health care clients of breaches. This is a requirement of Canadian laws and therefore becomes your responsibility to inform your clients if there has been a security breach within the system that you are using to store and/or stream their personal health information.
Q: What are my obligations as a practitioner if there is a security breach?
A: If you are using an IT service that does not explicitly comply with Canadian privacy and security laws, and you have received consent from your client regarding the same. Then you (the service provider) are responsible to share with your client if there is a breach of client information. Quoted from Dr. Wael Hassan …“email or cloud storage providers serving healthcare organizations in Ontario are obligated to notify them of any security breaches or other instances of unauthorized access or disclosure. HIPAA does not require IT service providers to notify healthcare clients of breaches. While a notification requirement could be included in a contract with an American service provider, many U.S. service providers are reluctant to agree to notify their clients of breaches because of fears of liability and loss of reputation”.Canadian Healthcare and US Cloud Services: Is HIPAA Compliance Good Enough for Canadian Health Data?”
Q: Can I use Gmail, dropbox or google drive?
A: It depends.
- If you work in the private sector with no contracts with public bodies that require FOIPPA, you are able to use these services when client consent is received and it is clearly communicated why, how and where their personal information is being stored.
- If you have contracts with a public body in your province you should NOT be storing client personal health information on Gmail, Dropbox or Google drive as they are cloud based applications that run off global servers. There is no guarantee this information is staying in Canada.
Sourced Sites and References
A Guide to BC’s Personal Information Protection Act for Businesses and Organizations Accessed 22 Mar 2020.
“Canadian Healthcare and US Cloud Services: Is HIPAA Compliance Good Enough for Canadian Health Data?” Accessed 22 Mar 2020.
Cloud Computing and Privacy FAQ 18 April 2011. Accessed 22 Mar 2020.
Guide to Access and Privacy Protection under FIPPA Office of the Information and Privacy Commissioner for BC. October 2015. Accessed 22 Mar 2020.
“Is Everything in Microsoft Office 365 Stored in Canadian Data Centres?” Accessed 22 Mar 2020.
Personal Information Protection and Electronic Documents Act.” Government of Canada. 13 April 2000. Accessed 22 Mar 2020.
Data Centre, Managed Hosting & Cloud Services Accessed 22 Mar 2020.
FAQs – Personal Health Information Protection Act, September 2015, Access 22 Mar 2020
Your Health Privacy Rights in Ontario. Accessed 22 Mar 2020.
“I want to Try Telepractice” by Anna Krueger, distributed at the Speech and Hearing Conference October 2019.