Privacy Toolkit

• Learn about the Personal Information Protection Act (PIPA)
• Understanding PIPA video (3:32)
• A full video is available for employee orientation and refresher training in your practice.
• Navigating the toolkit video
  • Navigating the toolkit video notes pages

​​​​Physicians are responsible for protecting the personal health information they collect, use, and share, including: ​​

• Patient ​​information​​​​​
• ​​Billing and contact details​​​
• ​​​​Personal data​​​​​ 

The 10 Principles of PIPA:

1. Assign accountability
2. Identify purpose
3. Obtain consent
4. Limit collection
5. Use, disclose and retain appropriately
6. Maintain accuracy
7. Employ safeguards
8. Be transparent
9. Provide access
10. Permit recourse

Learn more about the 10 essential steps for PIPA compliance.

Start by appointing a physician to be responsible for compliance (actual work can be delegated). Without someone who is accountable for privacy compliance and training, it will be hard to implement the rest of the needed steps. This person will need to:

• Protect all personal information held in any form by your organization or 3rd parties 
• Document and implement personal information policies and procedures 
• Regularly assess your privacy management program and address any shortcomings 
• Be prepared to show you have a privacy management program in place that is being followed in case you are audited
• Be prepared to notify patients and report to the Privacy Commissioner when there is a breach 

Support: 

• Learn more about Principle 1: Be Accountable
• Complete the Accountability Checklist
• Getting Accountability Right video (3:20)
  • Getting Accountability Right video notes pages

You need to understand why you’re collecting information, limit it to what you need, and ensure that you’ve obtained the proper consent to do so.

This includes:

• Providing reasons for collecting personal information before or at the time collected and only collect information necessary for the identified purposes
• Documenting why information is collected and identify the type of personal information collected in policies and procedures documents
• Obtaining consent to use and disclose before or at the time personal information is collected and when using it for a new purpose
• Never using deceptive means to obtain consent or withholding services to someone failing to consent and explaining the implications of individual withdrawing consent

Support:

• Learn more about Principle 2: Identify Purpose 
• Complete the Identify Purpose Checklist 
• What's the Purpose? video (2:49)
  • What's the Purpose? video notes pages
• Learn more about Principle 3: Obtain Consent
• Complete the Obtain Consent Checklist
• Types of Consent video (3:13)
  • Types of Consent video notes pages
• Learn more about Principle 4: Limit Collection
• Complete the Limit Collection Checklist
• Is It Really Necessary? video (2:10)
  • Is It Really Necessary? video notes pages

Physicians must only use and disclose personal information for the purposes it was collected, and to stop storing and retaining it once it’s no longer needed.

Tips:

• Only use and disclose personal information for the purposes it was collected
• Follow safe practices when using electronic communication methods (fax, email)
• Never use personal information for research purposes without explicit consent
• Have an information sharing agreement in place with the party you are sharing with
• Document retention periods to comply with legal and regulatory requirements
• Only retain personal information until it no longer fulfills its intended purpose
• Dispose of personal information in a way that prevents a privacy breach
• Before disposing of electronic devices (like computers, photocopiers, cellphones, etc.) ensure that all personal information is fully deleted

Support :

• Learn more about Principle 5: Limit Use, Disclosure, Storage and Retention
• Complete the Use Checklist
• What's the Use? video (1:34)
  • What's the Use? video notes pages
• Complete the Disclosure Checklist
• To Tell or Not Tell? video (2:33)
  • To Tell of Not Tell? video notes pages
• Complete the Retention Checklist
• How Long is it Kept? video (3:00)
  • How Long is it Kept? video notes pages

It’s important to keep information accurate through regular updates and to use safeguards to protect that information. As IT and patient privacy are linked, these webpages provide helpful information and tools to support clinic security, including setting up a secure network.

Physicians are responsible to ensure their network is private and enables secure access to clinical information in their electronic medical record (EMR) systems. If you are transitioning to an EMR, review these guidelines for EMRs and role-based access.

Tips:

• Establish policies to keep information updated on a regular basis
• Protect all personal information held in any form against loss or theft
• Document and implement information and system security policies and procedures and regularly assess them
• Be prepared to show you have a security management program in place that is being followed in case you are audited

Support:

• Learn more about Principle 6: Maintain Accuracy
• Complete the Maintain Accuracy Checklist
• Review the Physician Office IT Security Guide
• Review the webpage on How To Set Up a Secure Network
• Keeping it Accurate video (3:27)
  • Keeping it Accurate video notes pages
• Learn more about Principle 7: Employ Safeguards
• Complete the Employ Safeguards Checklist
• Keeping it Safe video (4:36)
  • Keeping it Safe video notes pages

Physicians must be transparent about privacy practices and provide patients with access to their information.

This includes:

• Ensuring front-line employees are trained to respond to inquiries
• Making policies available to patients and provide contact information for questions
• Responding within 30 days to any patient questions about how their information will be used and provide access to their information at minimal or no cost

Support:

• Learn more about Principle 8: Be Transparent
• Complete the Be Transparent Checklist
• Where's the Policy? video (2:29)
  • Where's the Policy? video notes pages
• Learn more about Principle 9: Provide Access
• Complete the Provide Access checklist
• Making it Accessible video (2:46)
  • Making it Accessible video notes pages

Complaints and privacy concerns must be handled quickly and appropriately.

Tips:

• Develop simple and easily accessible complaint procedures
• Provide guidance to the individual making the complaint
• Record the date a complaint is received and acknowledge receipt to the individual
• Assign the matter to a qualified person who can review it fairly and impartially
• Notify individuals of the outcome of investigations clearly and promptly, including any steps taken
• Correct any inaccurate personal information or modify policies and procedures

Support:

• Learn more about Principle 10: Permit Recourse
• Complete the Permit Recourse Checklist
• Handling Complaints video (2:43)
  • Handling Complaints video notes pages

• Patient Request for Access to Personal Information

• Clinic Staff Confidentiality and Privacy Policy
• Certificate of Destruction
• Confidentiality Agreement for Employees
• Confidentiality Agreement for Health Authority Employees Working in a Physicians Private Practice
• Confidentiality Agreement for Third Parties
• Confidentiality and Data Sharing Agreement

• Consent for Research
• Consent to Communicate Electronically (CMPA)

• Patient Request to Correct Personal Information

• Understanding the Law video
• Video Notes Pages

Learn about the legislative framework in the BC healthcare system.

Topics:

• Why privacy laws are needed
• Why there are different laws
• What the 10 principles that underlie PIPA are
• Where to find more resources

The patient can complete and send you the Patient Request for Access to Personal Information form.

Under Section 3 of the PIPA Regulations, the “personal representative of the individual at the time of the individual’s death or, if there is no personal representative, the nearest relative” may exercise access rights of the deceased individual and give or refuse consent to the collection, use and disclosure of personal information of the deceased.

The personal representative can complete and send you the Patient Request for Access to Personal Information form. A physician is obligated to provide a copy of records when provided with a written, dated authorization form.

PIPA permits a physician to charge a “minimal fee” for access to a patient’s medical records. Providing copies of relevant information contained in a medical record and/or forwarding a file to another physician should be done promptly and never be delayed pending payment of the “minimal fee”. Physicians should be mindful of the patient’s economic circumstances when charging this fee.

The Office of the Information and Privacy Commissioner for BC interprets “minimal fee” to be a “nominal fee”.

For more information from the College of Physicians and Surgeons of BC, see Medical Records.

While it is not mandatory, PIPA permits the disclosure of personal information to a law enforcement agency to assist in an investigation (or the decision to undertake an investigation) to determine whether the offence has taken place or to prepare for the laying of a charge or prosecution of the offense in Section 18 (j).

For more information from the College of Physicians and Surgeons of BC, see Disclosure of Patient Information.

When the mistaken recipient contacts you, ask them if they opened the envelope. If they did not open it, ask them to mark it as “Return to Sender” and put it in the mail. Once it is received:

• Examine the envelope to ensure it was not tampered with.
• Open the envelope and remove the contents, discarding the old envelope.
• Place the contents in a new envelope addressed to the correct recipient and put it in the mail.

If they did open it, ask them to shred the contents and confirm when that has been done. Once they have confirmed destruction:

• Prepare an apology letter that includes the following:
  • This correspondence containing personal and confidential information was sent to an unintended recipient.
  • We value the privacy and security of your information and have asked the recipient to confirm secure destruction of the information.
  • We do not believe your confidential information has been compromised but are obligated to advise you of this error. If you are concerned about your personal information being compromised, you can contact credit reporting agencies to set up a credit watch (e.g., Equifax or TransUnion).
  • You have the option to file a formal complaint with the Office of the Information and Privacy Commissioner for BC. The contact information can be found at https://www.oipc.bc.ca/about/contact-us/.
  • We apologize for any inconvenience this error has caused. If you have any questions or concerns, please feel free to contact me or send an email to our privacy officer at <provide email address here>.
• Prepare the original correspondence again.
• Place the contents in an envelope addressed to the correct recipient.

When the mistaken recipient contacts you, ask them to immediately shred the faxed documents.
Once they have confirmed destruction:

• Prepare an apology letter that includes the following:
  • This fax containing personal and confidential information was sent to an unintended recipient.
  • We value the privacy and security of your information and have asked the recipient to confirm secure destruction of the information.
  • We do not believe your confidential information has been compromised but are obligated to advise you of this error. If you are concerned about your personal information being compromised, you can contact credit reporting agencies to set up a credit watch (e.g., Equifax or TransUnion).
  • You have the option to file a formal complaint with the Office of the Information and Privacy Commissioner for BC. The contact information can be found at https://www.oipc.bc.ca/about/contact-us/.
  • We apologize for any inconvenience this error has caused. If you have any questions or concerns, please feel free to contact me or send an email to our privacy officer at <provide email address here>.
• Prepare the fax cover page again and add 1 page to the total number of pages.
• Fax the documents and apology letter to the correct recipient.

Check to ensure you have a fax disclaimer set up so that all outgoing faxes include the disclaimer. See Fax Disclaimer Template .

Send an email to the mistaken recipient asking them to:

• Permanently delete the email from your email folders,
• Permanently delete the email from the server of your email provider,
• Permanently delete any electronic copies you may have saved,
• Shred any copies you may have printed and
• Confirm by return email once these steps have been completed.

Send the email to the correct recipient and with an apology that includes the following:

• This email containing personal and confidential information was sent to an unintended recipient.
• List the types of sensitive information that was mistakenly disclosed (e.g., name, gender, age, Care Card number, home address, phone number, email address, medical information).
• We value the privacy and security of your information and have taken the following steps:
  • Asked the recipient to confirm permanent deletion and secure destruction of the information.
  • Reviewed our procedures to prevent this from occurring in the future.
  • Communicated those procedures to staff.
• We do not believe your confidential information has been compromised but are obligated to advise you of this error. If you are concerned about your personal information being compromised, you can contact credit reporting agencies to set up a credit watch (e.g., Equifax or TransUnion).
• You have the option to file a formal complaint with the Office of the Information and Privacy Commissioner for BC. The contact information can be found at https://www.oipc.bc.ca/about/contact-us/.
• We apologize for any inconvenience this error has caused. If you have any questions or concerns, please feel free to contact me or send an email to our privacy officer at <provide email address here>.

Check to ensure you have an email disclaimer set up so that all outgoing email includes the disclaimer. See Email Disclaimer Template.

The patient can complete and send you the Patient Request to Correct Personal Information form.

There are several internal controls in place such as:

• Programmed edits to ensure correct format
• Manual quality control checks by someone other than the person doing data entry
• External audits
• Internal reviews and audits
• Interaction with external parties
• Segregation of duties
• Reconciliations

A privacy breach occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information. The most common privacy breach happens when personal information of members, non-members or employees is stolen, lost or accidentally disclosed. There are two different kinds of breaches:

• Accidental
  • Sending an email to the wrong email address
  • Sending a fax to the wrong number
  • Backup lost in transit (same problem can happen with CDs)
  • Policy violation due to lack of training
  • Janitors remove paper records that were not locked up
• Criminal
  • Hacking
  • Stolen laptop
  • Stolen backup
  • Dishonest employee
  • Unauthorized intrusion into systems
  • Debit machine thieves

If you know or suspect a breach has occurred, immediately notify your Privacy Officer. Depending on the scope of the breach, they may contact the Office of the Information and Privacy Commissioner for BC. The contact information can be found at
https://www.oipc.bc.ca/about/contact-us/.

For more information from the Office of the Information and Privacy Commissioner for BC, see Privacy Breaches: Tools and Resources.

Patient information should be collected on a standard form.

If collecting information verbally, ensure you are in a private place where no one else can hear.

Whenever possible, you should employ the following methods of receiving information:

• Secure File Transfer Protocol (SFTP) - Secure transfer of files over the internet
• Transport Layer Security (TLS) - Secure email communications between the Doctors of BC and other organizations
• Virtual Private Network (VPN) - Secure, private tunnel between two or more devices across a public network

Less secure methods include:

• Compact disk via mail or courier where there are risks of loss in transit. If this method must be used, files must be encrypted and/or password protected, even if the CD is hand-delivered
• Email where there are risks of misdirection or redistribution. If this method must be used, files must be encrypted and/or password protected
• Paper

Please refer to the Canadian Medical Protective Association (CMPA) for Consent to Use Electronic Communications.

It depends.

If it is in a business setting and the only people being photographed are involved in the project then consent is not required. If there are any other people whose photos may be included (such as a patient) then consent in writing is required.

Please refer to the College of Physicians and Surgeons of BC Medical Records guidelines.

Paper records can be disposed of by:

• Cross-cut shredding
• Incinerating
• Outsourcing to a shredding company as long as you have a contract with them that covers security, privacy and confidentiality

When destroying information, a Certificate of Destruction should be completed.

Data on portable media can be disposed of by:

• Cross-cut shredding
• Degaussing
• Grinding
• Incinerating
• Sanitizing overwrites
• Selective wipes
• Outsourcing to a service provider as long as you have a contract with them that covers security, privacy and confidentiality

When destroying information, a Certificate of Destruction should be completed.

Data on computers and servers can be disposed of by:

• Degaussing
• Grinding
• Incinerating
• Sanitizing overwrites
• Selective wipes
• Shredding
• Outsourcing to a service provider as long as you have a contract with them that covers security, privacy and confidentiality

When destroying information, a Certificate of Destruction should be completed.

Data on backup systems and media can be disposed of by:

• Cross-cut shredding
• Degaussing
• Grinding
• Incinerating
• Sanitizing overwrites
• Selective wipes
• Outsourcing to a service provider as long as you have a contract with them that covers security, privacy and confidentiality

When destroying information, a Certificate of Destruction should be completed.

If they are asking by email:

• Contact them by phone to ensure the request was made by them
• Reconfirm their email address
• Enter the email address into your system for future use
• Place a notation on the record that consent was given by email (specify the date and time)

If they are asking by phone:

• Be sure to verify their identity (See “Identification” below)
• Obtain their email address
• Enter the email address into your system for future use
• Place a notation on the record that consent was given over the phone (specify the date and time)

If they are asking in person:

• Obtain their email address while in a private place
• Enter the email address into your system for future use
• Place a notation on the record that consent was given in person (specify the date and time)

Physicians are discouraged from using shared fax equipment as control over access to patient data cannot be ensured. For more information, see Guidelines for Use of Email or Fax.

No.

This should never be done as they could at risk of unauthorized access or theft.

No.

This should never be done as the files will not be backed up and there is potential that they could at risk of unauthorized access or computer theft after-hours.

You can ask for 2-3 pieces of information that only the person would know. Do not provide the information and ask for confirmation. Instead, ask questions like:

• What is your Care Card number?
• What is your cell phone number?
• What is your home address?
• What is your home phone number?
• What is your middle name?
• What is your work phone number?
• When did you see the doctor last?
• When did you have your last blood test?
• What is your birth date?

Keep in mind that someone impersonating a patient may already know much of this information.

Your SIN is the authorized number for income tax purposes under section 237 of the Income Tax Act and is used under certain federal programs. You have to give it to anyone who prepares an information slip (such as a T3, T4, or T5 slip) for you. Each time you do not give your SIN when you are supposed to, you may have to pay a penalty. You also have to give it to the Canada Revenue Agency (CRA) when you ask for personal tax information. If your SIN is missing or incorrect on your slips, advise your slip preparer (employer, issuer, or administrator of your information slip). Your SIN card is not a piece of identification, and it should be kept in a safe place. If you are asked to provide your SIN in any other circumstances, you should refuse and advise the:

• Privacy Officer for the company asking for the information
• Office of the Information and Privacy Commissioner for BC

Anyone can contact your privacy officer in writing, in person, by email or by phone with their concerns. Under PIPA, a response is required within 30 days. Their contact information should be published on your website or in your office. If they are not satisfied with your response, they can make a compliant to the Office of the Information and Privacy Commissioner for BC. The contact information can be found at https://www.oipc.bc.ca/about/contact-us/.

It depends.

Some devices can be disabled and/or scrubbed remotely.

If a portable device is lost or stolen, it should be immediately reported to:

• The service provider who can suspend the service
• The Police
• Your privacy officer
• Your IT support

It depends on whether it is encrypted.

USB keys are small and are easy to lose. The best practice is to never put sensitive information on a USB key. If files have to be saved to a USB key, they must be encrypted and/or password protected.

Information, including Personal Health Information, about an identifiable individual which includes factual or subjective information about that individual. This information includes, but is not limited to, name, personal address, birth date, physical description, medical history, gender, education, employment and visual images such as photographs or videotapes.

Organizational safeguards such as:

• Confidentiality and data sharing agreements
• Destruction of documents and data
• Locked bins for confidential information to be shredded
• New employee orientations
• Policies, procedures and guidelines
• Refresher training
• Scanning documents

Physical safeguards such as:

• Alarms after hours
• Keeping equipment out of site (e.g., files or laptop in the trunk)
• Locked filing cabinets, cupboards and desk drawers
• Restricted access to patient files
• Smoke detectors

Technological safeguards such as :

• Automatic keyboard time-out
• Encrypting cell phones, laptops, USBs
• Locking the keyboard when stepping away from the computer
• Mobile phone password lock
• Password protecting files
• Role-based security access based on need to know
• Transport Layer Security for transmission of files between organizations
• Usernames and passwords

Physicians are discouraged from letting personal information of patients leave Canada, even though there is no requirement under PIPA.

If you do want to use a service provider that is outside Canada, you can obtain consent from the patient to use their email address for appointment and recall services. You should ensure that no additional personal information is included in the emails such as name, Care Card number, medical conditions). For example, a recall message might say “Our records indicate you are due for a medical visit. Please contact our office to make an appointment.”

The Canadian Medical Protective Association (CMPA) does not condone use of non-Canadian-based service providers when personal information is involved.

Physicians are discouraged from letting personal information of patients leave Canada, even though there is no requirement under PIPA.

If you do want to use a service provider that is outside Canada, you can anonymize the data (by using initials instead of name or by using an ID number that is not associated with their government-issued IDs). Then the data being transcribed cannot be tied to an individual by the third party.

The Canadian Medical Protective Association (CMPA) does not condone use of non-Canadian-based service providers when personal information is involved.

Physicians are discouraged from granting access to patients’ data in their EMR systems as the control over the information is compromised and risk of a breach is high.
If you have a third party confidentiality agreement for the services and can provide

• a unique user ID and password
• role-based access to patient information based on “need to know”
• appropriate encryption levels
• audit trails to track when a patient record is accessed and by whom, including date and time
• forced password changes at regular intervals
• password protected screen saver or auto logout after a period of inactivity

These safeguards are difficult to accomplish with a third party.

The Canadian Medical Protective Association (CMPA) does not condone use of non-Canadian-based service providers when personal information is involved.

Some cloud-based services such as Google Cloud print and Microsoft Office 365 store data on servers in the U.S. Physicians are discouraged from letting personal information of patients leave Canada, even though there is no requirement under PIPA.

Some cloud-based services may store data on servers in Canada. Questions you can ask potential cloud providers are:

• Geographically, where will the data be stored and if in Canada, what is the proof?
• Has the provider been involved in findings under the EDA, FOIPPA, PIPA, PIPEDA?
• What security measures are in place to protect data, both physically and digitally?
• Who will have access to the data?
• What happens to the data once the contract with the provider is terminated?
• Is data backed up regularly off-site and if so, where?

The Canadian Medical Protective Association (CMPA) does not condone use of non-Canadian-based service providers when personal information is involved.

Ensure you have a Confidentiality and Data Sharing Agreement in place.

Whenever possible, employ the following methods of transmitting information:

• Secure File Transfer Protocol (SFTP) - Secure transfer of files over the internet
• Transport Layer Security (TLS) - Secure email communications between the Doctors of BC and other organizations
• Virtual Private Network (VPN) - Secure, private tunnel between two or more devices across a public network

Less secure methods include:

• Compact Disk via mail or courier where there are risks of loss in transit. If this method must be used, files must be encrypted and/or password protected, even if the CD is hand delivered.
• Email where there are risks of misdirection or redistribution. If this method must be used, files must be encrypted and/or password protected.
• Paper

It is a complex issue and needs to be dealt with on a case by case basis. The HA is governed by FIPPA and the physician’s office is governed by PIPA. The legislation is not united, so it helps to look at it from the point of view of “who has custody or control of the medical records”, “who has liability if the records are not adequately protected”, and “who is most likely going to get sued”? If it is determined that FIPPA applies, s. 3(2)(d) of PIPA states that PIPA will not apply. Legal custody and control are relevant because of the legislation.

There are many considerations that can affect how medical records will be accessed. For example:

• Whose patient is it?
• Who will have custody and control of the medical records?
• Does the patient need to provide consent for your office to provide care?
• How can continuity of care be ensured?
• What are the patient’s expectations with respect to how their personal information should be handled?
• Will your office be within the HA or in a different location?
• Will you be using an Electronic Medical Records system?
• Will you require copies of all patient records and work independently of the HA?
• Will you work collaboratively on patient care with the HA so that information will flow in both directions?
• If you are working collaboratively on patient care with the HA, are you privileged or credentialed with that HA?
• Will medical records remain on the HA’s Electronic Health Records system?

No. Physicians and their staff are not allowed to access these records unless the practice is providing care.

Physicians should refrain from sharing their login information with other physicians.

• Each individual should have their own unique credentials for system access.
• Login information should never be communicated by email.
• If login information is received by email from a vendor, the email should be deleted as soon as possible.