Virtual Care Q&A -with the Office of Information and Privacy Commissioner of BC

These questions were posed to the Office of Information and Privacy Commissioner of BC in the spring of 2020 by PABC.

Note that the context of this conversation was in regard to PRIVATE PRACTICE clinic use of virtual care tools and corresponding PIPA legislation compliance. However, some reference to FIPPA is made where it was relevant and crossed over.

Answers from the OIPC are subject to the following disclaimer from OIPC:

Please also note that our comments are not intended to be relied on as legal or other advice and cannot be relied on as such. Please see the OIPC Policy on Consultations.

Private practice clinics need to inform their client bases of their Virtual services. Some are concerned that this will be considered spam and break privacy legislation if the client has not agreed to receive marketing emails.

Answer from OIPC:
This office oversees the Personal Information Protection Act and the Freedom of Information and Protection of Privacy Act. I can’t really comment on Canada’s Anti-Spam Legislation (CASL) but it is my understanding that CASL doesn’t apply if the physiotherapist has an existing relationship with the client, and they aren’t trying to sell a product or service.

Can you confirm that email communications of this form with more sensitive personal and health information such as x-ray reports are NOT prohibited by PIPA? Expand for full question

Full Question:
Can you confirm that email communications of this form (book appointments, communicate with their clients in regards to progress, send general documents such as exercise pdf's, or send documents (from patient to private practice clinic) with more sensitive personal and health information such as x-ray reports)are NOT prohibited by PIPA (although they may require special consideration, security measures, and consent)?

Answer from OIPC:
You are correct that email communications you describe are not prohibited by the Personal Information Protection Act (PIPA), but as you have identified they may require special consideration and security measures, depending on the sensitivity of the personal information.

Should private practice clinics have a separate consent that allows them to use electronic communications (such as email/text) to communicate with patients and third parties?

Answer from OIPC:
You do not need separate consent for electronic communications if you already have consent for the disclosure of a patient’s personal information to third parties. PIPA treats electronic medical records the same way it treats paper medical records.

*PABC / CPTBC note: Please note this implies simple communication for appointments, etc. – not care delivery.

Some private practice clinics are using Gmail addresses or Gsuite Business Solutions. Google does not have Canadian servers. Should clinics be requesting consent before using email communications through these platforms due to cross border data flow?

Or should a disclaimer on the signature line be used in place, or in addition to such consent?

Answer from OIPC:
PIPA does not have data residency requirements, so physiotherapists in private practice do not require consent to store personal information on non-Canadian servers.

Are there any other suggestions or samples you could recommend for private practice members of the necessary consents we should be collecting in regard to email communications?

We function quite analogously to a doctor’s or dentist’s office, so examples of those would suffice as well.

Answer from OIPC:
Separate consent for email communications is not required if you already have consent for the collection, use and disclosure of a patient’s personal information. PIPA treats electronic medical records the same way it treats paper medical records.

However, the Freedom of Information and Protection of Privacy Act (FIPPA) governs health authorities. If a physiotherapist is working for a health authority, FIPPA requires personal information in a health authority’s custody or control must be stored and accessed only in Canada unless the health authority obtains patient consent for access or storage outside of Canada, with very limited exceptions.

Is there anything else you suggest we tell our private sector members about using virtual care (assuming all personal information is initially collected using standard, PIPA compliant procedures as it would be for in-person visits)?

Answer from OIPC:
The specific requirement in PIPA is in s. 34. Here are some basic things to keep in mind:

  • You would need your patients’ consent.
  • Tell clients that you cannot guarantee that your conversations with them will not be intercepted but explain what security measures are in place to minimize that from happening. (e.g. end-to-end encryption.)
  • Given the personal information you are collecting, using and disclosing is sensitive because it relates to an individual’s health, you should only use a platform that has end to end encryption.
  • You should read the privacy policy of whatever platform you are using to ensure that there are not any terms that seem like red flags.
  • Avoid platforms owned by companies with known privacy problems.
  • If you record meetings, you should immediately save a copy on a local, secure computer you control and delete recordings off of the platform you are using.
  • You are not responsible under PIPA for the security of the patient’s device, only your device and the platform on which you conduct your work. I suggest you make it clear to your patients they are responsible for their own security. For example, they should communicate with you using a machine with an encrypted hard drive (like an iPad or iPhone) but if they do not, then that is their responsibility, not yours.

If you want to read more about what the OIPC has published about this topic, here are two resources:

Virtual Care FAQ