These questions were posed to the Office of Information and Privacy Commissioner of BC in the spring of 2020 by PABC.
Note that the context of this conversation was in regard to PRIVATE PRACTICE clinic use of virtual care tools and corresponding PIPA legislation compliance. However, some reference to FIPPA is made where it was relevant and crossed over.
Answers from the OIPC are subject to the following disclaimer from OIPC:
Please also note that our comments are not intended to be relied on as legal or other advice and cannot be relied on as such. Please see the OIPC Policy on Consultations.
Answer from OIPC:
PIPEDA and PIPA are substantially similar. However, it remains each organization’s responsibility to ensure the platform is PIPA compliant.
PABC / CPTBC note: FOIPPA is separate privacy legislation governing public practice and does have substantial differences from PIPEDA.
Answer from OIPC:
Unfortunately, I am not able to comment on HIPPA. The organization is responsible for making sure that the tool is PIPA compliant. I am not familiar enough with HIPPA to know how similar it is to PIPA.
Answer from OIPC:
f your organization functions in the private sector, yes, you can use telehealth/virtual care systems that have servers in the US.
Answer from OIPC:
This office oversees the Personal Information Protection Act and the Freedom of Information and Protection of Privacy Act. I can’t really comment on Canada’s Anti-Spam Legislation (CASL) but it is my understanding that CASL doesn’t apply if the physiotherapist has an existing relationship with the client, and they aren’t trying to sell a product or service.
Full Question:
Can you confirm that email communications of this form (book appointments, communicate with their clients in regards to progress, send general documents such as exercise pdf's, or send documents (from patient to private practice clinic) with more sensitive personal and health information such as x-ray reports)are NOT prohibited by PIPA (although they may require special consideration, security measures, and consent)?
Answer from OIPC:
You are correct that email communications you describe are not prohibited by the Personal Information Protection Act (PIPA), but as you have identified they may require special consideration and security measures, depending on the sensitivity of the personal information.
Answer from OIPC:
You do not need separate consent for electronic communications if you already have consent for the disclosure of a patient’s personal information to third parties. PIPA treats electronic medical records the same way it treats paper medical records.
*PABC / CPTBC note: Please note this implies simple communication for appointments, etc. – not care delivery.
Or should a disclaimer on the signature line be used in place, or in addition to such consent?
Answer from OIPC:
PIPA does not have data residency requirements, so physiotherapists in private practice do not require consent to store personal information on non-Canadian servers.
We function quite analogously to a doctor’s or dentist’s office, so examples of those would suffice as well.
Answer from OIPC:
Separate consent for email communications is not required if you already have consent for the collection, use and disclosure of a patient’s personal information. PIPA treats electronic medical records the same way it treats paper medical records.
However, the Freedom of Information and Protection of Privacy Act (FIPPA) governs health authorities. If a physiotherapist is working for a health authority, FIPPA requires personal information in a health authority’s custody or control must be stored and accessed only in Canada unless the health authority obtains patient consent for access or storage outside of Canada, with very limited exceptions.
Answer from OIPC:
The specific requirement in PIPA is in s. 34. Here are some basic things to keep in mind:
- You would need your patients’ consent.
- Tell clients that you cannot guarantee that your conversations with them will not be intercepted but explain what security measures are in place to minimize that from happening. (e.g. end-to-end encryption.)
- Given the personal information you are collecting, using and disclosing is sensitive because it relates to an individual’s health, you should only use a platform that has end to end encryption.
- You should read the privacy policy of whatever platform you are using to ensure that there are not any terms that seem like red flags.
- Avoid platforms owned by companies with known privacy problems.
- If you record meetings, you should immediately save a copy on a local, secure computer you control and delete recordings off of the platform you are using.
- You are not responsible under PIPA for the security of the patient’s device, only your device and the platform on which you conduct your work. I suggest you make it clear to your patients they are responsible for their own security. For example, they should communicate with you using a machine with an encrypted hard drive (like an iPad or iPhone) but if they do not, then that is their responsibility, not yours.