How BC physicians in private practice can meet their PIPA obligations

Health information is among the most sensitive forms of personal information – and protecting it is foundational to the doctor-patient relationship.  

The increasing convenience for physicians to use technologies such as smart phones and tablets, emails and websites, and video conferencing to consult with colleagues, patients, and other health care providers has meant a change in the way that personal health information is collected, used and disclosed.  

However, this greater reliance on technology to communicate patient care with others brings with it increased security risks and greater challenges for physicians to maintain confidentiality of their patients’ personal health information. Lost or stolen laptops, intercepted electronic communications, and unencrypted memory sticks are just a few of the many ways privacy breaches can occur.

To assist physicians in meeting their obligations under the Personal Information Protection Act (PIPA), Doctors of BC, the Office of the Information and Privacy Commissioner for BC, and the College of Physicians and Surgeons of BC have partnered to update the BC Physician Privacy Toolkit: A guide for physicians in private practice, originally published in 2004 and subsequently updated in 2009 and now in 2017.

Along with the updated BC Physician Privacy Toolkit, this site includes comprehensive resources physicians can rely on to make complying with PIPA easy and straightforward.

Privacy Toolkit

Here's a PIPA FACT SHEET for quick reference

Within each section you will find:

  • TIPS: a high level introduction to the topic
  • LEARN MORE: for more in depth information
  • CHECKLIST: a list of steps to implement your privacy management program
  • VIEW VIDEO: walks you through each topic

 

What legislation applies?

Personal Information Protection Act (PIPA)

LEARN MORE 

VIEW VIDEO  3:32 

What are your responsibilities?

Comply with all 10 Principles of PIPA

  1. Assign accountability
  2. Identify purpose
  3. Obtain consent
  4. Limit collection
  5. Use, disclose and retain appropriately
  6. Maintain accuracy
  7. Employ safeguards
  8. Be transparent
  9. Provide access
  10. Permit recourse

LEARN MORE 

 

Principle 1 Be Accountable

TIPS

  • Appoint a physician to be responsible for compliance (actual work can be delegated)
  • Protect all personal information held in any form by your organization or 3rd parties
  • Document and implement personal information policies and procedures
  • Regularly assess your privacy management program and address any shortcomings
  • Be prepared to show you have a privacy management program in place that is being followed in case you are audited
  • Be prepared to notify patients and report to the Privacy Commissioner when there is a breach

LEARN MORE 

CHECKLIST 

VIEW VIDEO  3:20

Principle 2 Identify Purpose

TIPS

  • Provide reasons for collecting personal information before or at the time collected
  • Document why information is collected in policies and/or procedures
  • Inform individual why it is needed and document it in their record
  • Identify any new purpose to individual

LEARN MORE 

CHECKLIST 

VIEW VIDEO  2:49

Principle 3 Obtain Consent

TIPS

  • Obtain consent to use and disclose before or at the time personal information is collected
  • Obtain consent after personal information is collected if using for a new purpose
  • Never use deceptive means to obtain consent
  • Never withhold services to someone failing to consent
  • Explain implications of individual withdrawing consent

LEARN MORE 

CHECKLIST 

VIEW VIDEO  3:13

Principle 4 Limit Collection

TIPS

  • Only collect information necessary for the identified purposes
  • Identify the type of personal information collected in policies and procedures documents
  • Ensure employees can explain why information is needed

LEARN MORE 

CHECKLIST 

VIEW VIDEO 2:10

Principle 5a Limit Use

TIPS

  • Only use personal information for the purposes it was collected
  • Follow safe practices when using electronic communication methods (fax, email)
  • Never use personal information for research purposes without explicit consent

LEARN MORE  (Note: The same LEARN MORE file applies to 5a, 5b and 5c)

CHECKLIST 

VIEW VIDEO  1:34 

Principle 5b Limit Disclosure

TIPS

  • Only disclose personal information for the purposes it was collected
  • Have an information sharing agreement in place with the party you are sharing with

LEARN MORE  (Note: The same LEARN MORE file applies to 5a, 5b and 5c)

CHECKLIST 

VIEW VIDEO  2:33

Principle 5c Limit Retention

TIPS

  • Document retention periods to comply with legal and regulatory requirements
  • Only retain personal information until it no longer fulfills its intended purpose
  • Dispose of personal information in a way that prevents a privacy breach
  • Before disposing of electronic devices* ensure that all personal information is fully deleted

* Computers, photocopiers, cellular phones, etc.

LEARN MORE  (Note: The same LEARN MORE file applies to 5a, 5b and 5c)

CHECKLIST 

VIEW VIDEO  3:00

Principle 6 Maintain Accuracy

TIPS

  • Establish policies setting out types of information to be updated on a regular basis

LEARN MORE 

CHECKLIST 

VIEW VIDEO  3:27

Principle 7 Employ Safeguards

TIPS

  • Protect all personal information held in any form against loss or theft
  • Document and implement information and system security policies and procedures*
  • Regularly assess your security management program and address any shortcomings
  • Be prepared to show you have a security management program in place that is being followed in case you are audited

*Include administrative, physical, and technological safeguards

LEARN MORE 

CHECKLIST 

VIEW VIDEO  4:36

Principle 8 Be Open and Transparent

TIPS

  • Ensure front-line employees are trained to respond to inquiries
  • Publish the name, title and contact information and procedures for
    • Privacy Officer
    • Access requests
    • Complaints
  • Publish your privacy policies and procedures*

* On websites, in brochures, etc.

LEARN MORE 

CHECKLIST 

VIEW VIDEO  2:29

Principle 9 Provide Access

TIPS

  • Develop simple and easily accessible access procedures
  • Provide guidance to the individual making the request
  • Provide details of personal information you have about an individual to that individual
  • Explain how the information has been used, including names of external organizations to which it has been disclosed
  • Give individuals access to their information at minimal or no cost
  • Give notice to individuals of approximate costs before processing their request
  • Explain acronyms to ensure information is understandable
  • Correct information upon request by the individual
  • Respond within 30 days
  • Inform the individual in writing when refusing to give access, setting out reasons and recourse available

LEARN MORE 

CHECKLIST 

VIEW VIDEO  2:46

Principle 10 Permit Recourse

TIPS

  • Develop simple and easily accessible complaint procedures
  • Provide guidance to the individual making the complaint
  • Record the date a complaint is received and acknowledge receipt to the individual
  • Contact the individual to clarify the complaint, if necessary
  • Assign the matter to a qualified person who can review it fairly and impartially
  • Notify individuals of the outcome of investigations clearly and promptly, including any steps taken
  • Correct any inaccurate personal information or modify policies and procedures
  • Ensure employees are made aware of any changes

LEARN MORE 

CHECKLIST 

VIEW VIDEO  2:43

 

To find a question you need an answer to, press Crtl-F on your keyboard and enter a keyword. For example, if you are looking for information about how to respond to a privacy breach, enter the word breach and press the enter key.

How can a patient request access to their personal information?

The patient can complete and send you the Patient Request for Access to Personal Information  form.

How can a personal representative of a deceased patient request access to their loved one’s medical records?

Under Section 3 of the PIPA Regulations, the “personal representative of the individual at the time of the individual’s death or, if there is no personal representative, the nearest relative” may exercise access rights of the deceased individual and give or refuse consent to the collection ,use and disclosure of personal information of the deceased.

The personal representative can complete and send you the Patient Request for Access to Personal Information  form. A physician is obligated to provide a copy of records when provided with a written, dated authorization form.

How much can I charge for providing access to a patient’s medical records?

PIPA permits a physician to charge a “minimal fee” for access to a patient’s medical records. Providing copies of relevant information contained in a medical record and/or forwarding a file to another physician should be done promptly and never be delayed pending payment of the “minimal fee”. Physicians should be mindful of the patient’s economic circumstances when charging this fee.

The Office of the Information and Privacy Commissioner for BC interprets “minimal fee” to be a “nominal fee”.

For more information from the College of Physicians and Surgeons of BC, see Medical Records.

What is required to provide patient information to law enforcement agencies?

While it is not mandatory, PIPA permits the disclosure of personal information to a law enforcement agency to assist in an investigation (or the decision to undertake an investigation) to determine whether the offence has taken place or to prepare for the laying of a charge or prosecution of the offense in Section 18 (j).

For more information from the College of Physicians and Surgeons of BC, see Disclosure of Patient Information.

What should I do if I accidentally mail something to the wrong address?

When the mistaken recipient contacts you, ask them if they opened the envelope. If they did not open it, ask them to mark it as “Return to Sender” and put it in the mail. Once it is received:

  • Examine the envelope to ensure it was not tampered with.
  • Open the envelope and remove the contents, discarding the old envelope.
  • Place the contents in a new envelope addressed to the correct recipient and put it in the mail.

If they did open it, ask them to shred the contents and confirm when that has been done. Once they have confirmed destruction:

  • Prepare an apology letter that includes the following:
    • This correspondence containing personal and confidential information was sent to an unintended recipient.
    • We value the privacy and security of your information and have asked the recipient to confirm secure destruction of the information.
    • We do not believe your confidential information has been compromised but are obligated to advise you of this error. If you are concerned about your personal information being compromised, you can contact credit reporting agencies to set up a credit watch (e.g., Equifax or TransUnion).
    • You have to option to file a formal complaint with the Office of the Information and Privacy Commissioner for BC. The contact information can be found at https://www.oipc.bc.ca/about/contact-us/.
    • We apologize for any inconvenience this error has caused. If you have any questions or concerns, please feel free to contact me or send an email to our privacy officer at <provide email address here>.
  • Prepare the original correspondence again.
  • Place the contents in an envelope addressed to the correct recipient.
What should I do if I accidentally send a fax to the wrong number?

When the mistaken recipient contacts you, ask them to immediately shred the faxed documents.
Once they have confirmed destruction:

  • Prepare an apology letter that includes the following:
    • This fax containing personal and confidential information was sent to an unintended recipient.
    • We value the privacy and security of your information and have asked the recipient to confirm secure destruction of the information.
    • We do not believe your confidential information has been compromised but are obligated to advise you of this error. If you are concerned about your personal information being compromised, you can contact credit reporting agencies to set up a credit watch (e.g., Equifax or TransUnion).
    • You have to option to file a formal complaint with the Office of the Information and Privacy Commissioner for BC. The contact information can be found at https://www.oipc.bc.ca/about/contact-us/.
    • We apologize for any inconvenience this error has caused. If you have any questions or concerns, please feel free to contact me or send an email to our privacy officer at <provide email address here>.
  • Prepare the fax cover page again and add 1 page to the total number of pages.
  • Fax the documents and apology letter to the correct recipient.

Check to ensure you have a fax disclaimer set up so that all outgoing faxes include the disclaimer. See Fax Disclaimer Template .

What should I do if I accidentally send an email to the wrong person?

Send an email to the mistaken recipient asking them to:

  • Permanently delete the email from your email folders,
  • Permanently delete the email from the server of your email provider,
  • Permanently delete any electronic copies you may have saved,
  • Shred any copies you may have printed and
  • Confirm by return email once these steps have been completed.

Send the email to the correct recipient and with an apology that includes the following:

  • This email containing personal and confidential information was sent to an unintended recipient.
  • List the types of sensitive information that was mistakenly disclosed (e.g., name, gender, age, Care Card number, home address, phone number, email address, medical information).
  • We value the privacy and security of your information and have taken the following steps:
    • Asked the recipient to confirm permanent deletion and secure destruction of the information.
    • Reviewed our procedures to prevent this from occurring in the future.
    • Communicated those procedures to staff.
  • We do not believe your confidential information has been compromised but are obligated to advise you of this error. If you are concerned about your personal information being compromised, you can contact credit reporting agencies to set up a credit watch (e.g., Equifax or TransUnion).
  • You have to option to file a formal complaint with the Office of the Information and Privacy Commissioner for BC. The contact information can be found at https://www.oipc.bc.ca/about/contact-us/.
  • We apologize for any inconvenience this error has caused. If you have any questions or concerns, please feel free to contact me or send an email to our privacy officer at <provide email address here>.

Check to ensure you have an email disclaimer set up so that all outgoing email includes the disclaimer. See Email Disclaimer Template .

How can a patient request a correction to their personal information?

The patient can complete and send you the Patient Request to Correct Personal Information  form.

What internal controls can be put in place to ensure accuracy?

There are several internal controls in place such as:

  • Programmed edits to ensure correct format
  • Manual quality control checks by someone other than the person doing data entry
  • External audits
  • Internal reviews and audits
  • Interaction with external parties
  • Segregation of duties
  • Reconciliations
What is a privacy breach and what needs to be done if it happens?

A privacy breach occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information. The most common privacy breach happens when personal information of members, non-members or employees is stolen, lost or accidentally disclosed. There are two different kinds of breaches:

  • Accidental
    • Sending an email to the wrong email address
    • Sending a fax to the wrong number
    • Backup lost in transit (same problem can happen with CDs)
    • Policy violation due to lack of training
    • Janitors remove paper records that were not locked up
  • Criminal
    • Hacking
    • Stolen laptop
    • Stolen backup
    • Dishonest employee
    • Unauthorized intrusion into systems
    • Debit machine thieves

If you know or suspect a breach has occurred, immediately notify your Privacy Officer. Depending on the scope of the breach, they may contact the Office of the Information and Privacy Commissioner for BC. The contact information can be found at
https://www.oipc.bc.ca/about/contact-us/.

For more information from the Office of the Information and Privacy Commissioner for BC, see  Privacy Breaches: Tools and Resources.

What are the safest ways to collect personal information?

Patient information should be collected on a standard form. 

If collecting information verbally, ensure you are in a private place where no one else can hear. 

Whenever possible, you should employ the following methods of receiving information:

  • Secure File Transfer Protocol (SFTP) - Secure transfer of files over the internet
  • Transport Layer Security (TLS) - Secure email communications between the Doctors of BC and other organizations
  • Virtual Private Network (VPN) - Secure, private tunnel between two or more devices across a public network

Less secure methods include:

  • Compact disk via mail or courier where there are risks of loss in transit. If this method must be used, files must be encrypted and/or password protected, even if the CD is hand-delivered
  • Email where there are risks of misdirection or redistribution. If this method must be used, files must be encrypted and/or password protected
  • Paper
Can I obtain consent to correspond electronically with a patient?

Please refer to the Canadian Medical Protective Association (CMPA) for Consent to Use Electronic Communications.

Is consent required if photos are taken and will be used in a presentation?

It depends.

If it is in a business setting and the only people being photographed are involved in the project then consent is not required. If there are any other people whose photos may be included (such as patient) then consent in writing is required.

Can I disclose medical records to anyone outside my practice?

Please refer to the College of Physicians and Surgeons of BC Medical Records guidelines. 

How should records in paper format be disposed of?

Paper records can be disposed of by:

  • Cross-cut shredding
  • Incinerating
  • Outsourcing to a shredding company as long as you have a contract with them that covers security, privacy and confidentiality

When destroying information, a Certificate of Destruction  should be completed.

How should data on portable media (CD/DVD/USB) be disposed of?

Data on portable media can be disposed of by:

  • Cross-cut shredding
  • Degaussing
  • Grinding
  • Incinerating
  • Sanitizing overwrites
  • Selective wipes
  • Outsourcing to a service provider as long as you have a contract with them that covers security, privacy and confidentiality

When destroying information, a Certificate of Destruction  should be completed.

How should data on computers and servers (desktop, personal computer, laptop or file server) be disposed of?

Data on computers and servers can be disposed of by:

  • Degaussing
  • Grinding
  • Incinerating
  • Sanitizing overwrites
  • Selective wipes
  • Shredding
  • Outsourcing to a service provider as long as you have a contract with them that covers security, privacy and confidentiality

When destroying information, a Certificate of Destruction  should be completed.

How should data on backup systems and media be disposed of?

Data on backup systems and media can be disposed of by:

  • Cross-cut shredding
  • Degaussing
  • Grinding
  • Incinerating
  • Sanitizing overwrites
  • Selective wipes
  • Outsourcing to a service provider as long as you have a contract with them that covers security, privacy and confidentiality

When destroying information, a Certificate of Destruction  should be completed.

What if a patient asks us to send them an email to an email address we do not have on record?

If they are asking by email:

  • Contact them by phone to ensure the request was made by them
  • Reconfirm their email address
  • Enter the email address into your system for future use
  • Place a notation on the record that consent was given by email (specify the date and time)

If they are asking by phone:

  • Be sure to verify their identity (See “Identification” below)
  • Obtain their email address
  • Enter the email address into your system for future use
  • Place a notation on the record that consent was given over the phone (specify the date and time)

If they are asking in person:

  • Obtain their email address while in a private place
  • Enter the email address into your system for future use
  • Place a notation on the record that consent was given in person (specify the date and time)
Can I use a shared fax machine with the big box store in which my practice is located?

Physicians are discouraged from using shared fax equipment as control over access to patient data cannot be ensured. For more information, see Guidelines for Use of Email or Fax .

Is it safe to leave paper files unattended in the office?

No.

This should never be done as they could at risk of unauthorized access or theft.

Is it safe to save files on the C:\ drive on your desktop?

No.

This should never be done as the files will not be backed up and there is potential that they could at risk of unauthorized access or computer theft after-hours.

Is there a standard set of questions to ask when verifying someone's identity over the phone?

You can ask for 2-3 pieces of information that only the person would know. Do not provide the information and ask for confirmation. Instead, ask questions like:

  • What is your Care Card number?
  • What is your cell phone number?
  • What is your home address?
  • What is your home phone number?
  • What is your middle name?
  • What is your work phone number?
  • When did you see the doctor last?
  • When did you have your last blood test?
  • What is your birth date?

Keep in mind that someone impersonating a patient may already know much of this information.

When is it appropriate to provide your Social Insurance Number (SIN)?

Your SIN is the authorized number for income tax purposes under section 237 of the Income Tax Act and is used under certain federal programs. You have to give it to anyone who prepares an information slip (such as a T3, T4, or T5 slip) for you. Each time you do not give your SIN when you are supposed to, you may have to pay a penalty. You also have to give it to the Canada Revenue Agency (CRA) when you ask for personal tax information. If your SIN is missing or incorrect on your slips, advise your slip preparer (employer, issuer, or administrator of your information slip). Your SIN card is not a piece of identification, and it should be kept in a safe place. If you are asked to provide your SIN in any other circumstances, you should refuse and advise the:

  • Privacy Officer for the company asking for the information
  • Office of the Information and Privacy Commissioner for BC
How does someone challenge our compliance with privacy legislation?

Anyone can contact your privacy officer in writing, in person, by email or by phone with their concerns. Under PIPA, a response is required within 30 days. Their contact information should be published on your website or in your office. If they are not satisfied with your response, they can make a compliant to the Office of the Information and Privacy Commissioner for BC. The contact information can be found at https://www.oipc.bc.ca/about/contact-us/.

Can you remotely scrub a mobile device if it is lost or stolen?

It depends.

Some devices can be disabled and/or scrubbed remotely.

If a portable device is lost or stolen, it should be immediately reported to:

  • The service provider who can suspend the service
  • The Police
  • Your privacy officer
  • Your IT support
How safe is it to save files on a USB key?

It depends on whether it is encrypted.

USB keys are small and are easy to lose. The best practice is to never put sensitive information on a USB key. If files have to be saved to a USB key, they must be encrypted and/or password protected.

What is personal information?

Information, including Personal Health Information, about an identifiable individual which includes factual or subjective information about that individual. This information includes, but is not limited to, name, personal address, birth date, physical description, medical history, gender, education, employment and visual images such as photographs or videotapes.

What safeguards over personal information can be put in place?

Organizational safeguards such as:

  • Confidentiality and data sharing agreements
  • Destruction of documents and data
  • Locked bins for confidential information to be shredded
  • New employee orientations
  • Policies, procedures and guidelines
  • Refresher training
  • Scanning documents

Physical safeguards such as:

  • Alarms after hours
  • Keeping equipment out of site (e.g., files or laptop in the trunk)
  • Locked filing cabinets, cupboards and desk drawers
  • Restricted access to patient files
  • Smoke detectors

Technological safeguards such as :

  • Automatic keyboard time-out
  • Encrypting cell phones, laptops, USBs
  • Locking the keyboard when stepping away from the computer
  • Mobile phone password lock
  • Password protecting files
  • Role-based security access based on need to know
  • Transport Layer Security for transmission of files between organizations
  • Usernames and passwords
Can I contract with a third party outside Canada for appointment and recall services?

Physicians are discouraged from letting personal information of patients leave Canada, even though there is no requirement under PIPA.

If you do want to use a service provider that is outside Canada, you can obtain consent from the patient to use their email address for appointment and recall services. You should ensure that no additional personal information is included in the emails such as name, Care Card number, medical conditions). For example, a recall message might say “Our records indicate you are due for a medical visit. Please contact our office to make an appointment.”

The Canadian Medical Protective Association (CMPA) does not condone use of non-Canadian-based service providers when personal information is involved.

Can I contract with a third party outside Canada for transcription services?

Physicians are discouraged from letting personal information of patients leave Canada, even though there is no requirement under PIPA.

If you do want to use a service provider that is outside Canada, you can anonymize the data (by using initials instead of name or by using an ID number that is not associated with their government-issued IDs). Then the data being transcribed cannot be tied to an individual by the third party.

The Canadian Medical Protective Association (CMPA) does not condone use of non-Canadian-based service providers when personal information is involved.

Can I grant remote access to a third party outside Canada for transcription services?

Physicians are discouraged from granting access to patients’ data in their EMR systems as the control over the information is compromised and risk of a breach is high.
If you have a third party confidentiality agreement for the services and can provide

  • a unique user ID and password
  • role-based access to patient information based on “need to know”
  • appropriate encryption levels
  • audit trails to track when a patient record is accessed and by whom, including date and time
  • forced password changes at regular intervals
  • password protected screen saver or auto logout after a period of inactivity

These safeguards are difficult to accomplish with a third party.

The Canadian Medical Protective Association (CMPA) does not condone use of  non-Canadian-based service providers when personal information is involved.

Can I use cloud-based services in my medical practice?

Some cloud-based services such as Google Cloud print and Microsoft Office 365 store data on servers in the U.S. Physicians are discouraged from letting personal information of patients leave Canada, even though there is no requirement under PIPA.

Some cloud-based services may store data on servers in Canada. Questions you can ask potential cloud providers are:

  • Geographically, where will the data be stored and if in Canada, what is the proof?
  • Has the provider been involved in findings under the EDA, FOIPPA, PIPA, PIPEDA?
  • What security measures are in place to protect data, both physically and digitally?
  • Who will have access to the data?
  • What happens to the data once the contract with the provider is terminated?
  • Is data backed up regularly off-site and if so, where?

The Canadian Medical Protective Association (CMPA) does not condone use of non-Canadian-based service providers when personal information is involved.

How can we make third parties accountable for protecting confidential information shared with them?

Ensure you have a Confidentiality and Data Sharing Agreement  in place.

What are the safest ways to transmit personal information?

Whenever possible, employ the following methods of transmitting information:

  • Secure File Transfer Protocol (SFTP) - Secure transfer of files over the internet
  • Transport Layer Security (TLS) - Secure email communications between the Doctors of BC and other organizations
  • Virtual Private Network (VPN) - Secure, private tunnel between two or more devices across a public network

Less secure methods include:

  • Compact Disk via mail or courier where there are risks of loss in transit. If this method must be used, files must be encrypted and/or password protected, even if the CD is hand delivered.
  • Email where there are risks of misdirection or redistribution. If this method must be used, files must be encrypted and/or password protected.
  • Paper
I’ve opened a new rural practice in Smalltown, BC and will take over patient care from the Health Authority (HA). Will those patients’ medical records be subject to FIPPA or PIPA once I take over, and what considerations will affect how I can access the medical records?

It is a complex issue and needs to be dealt with on a case by case basis. The HA is governed by FIPPA and the physician’s office is governed by PIPA. The legislation is not united, so it helps to look at it from the point of view of “who has custody or control of the medical records”, “who has liability if the records are not adequately protected”, and “who is most likely going to get sued”? If it is determined that FIPPA applies, s. 3(2)(d) of PIPA states that PIPA will not apply. Legal custody and control is relevant because of the legislation.

There are many considerations that can affect how medical records will be accessed. For example:

  • Whose patient is it?
  • Who will have custody and control of the medical records?
  • Does the patient need to provide consent for your office to provide care?
  • How can continuity of care be ensured?
  • What are the patient’s expectations with respect to how their personal information should be handled?
  • Will your office be within the HA or in a different location?
  • Will you be using an Electronic Medical Records system?
  • Will you require copies of all patient records and work independently of the HA?
  • Will you work collaboratively on patient care with the HA so that information will flow in both directions?
  • If you are working collaboratively on patient care with the HA, are you privileged or credentialed with that HA?
  • Will medical records remain on the HA’s Electronic Health Records system?
Can I access my family or friend’s medical records?

No.

Physicians and their staff are not allowed to access these records unless the practice is providing care.

What’s the difference between FIPPA and PIPA legislation?

Physicians who are working in a physician’s office but are also providing services to a public health organization will generally be governed by

  • PIPA with respect to the personal information collected, used and disclosed by the private office
  • FIPPA with respect to the personal information they collect, use and disclose in their capacity as physicians for the public health organization

There are some notable differences between PIPA and FIPPA:

  • PIPA does not include the FIPPA provisions regarding storage and access to personal information from outside Canada. As long as privacy is contractually protected, data can be stored or accessed from outside Canada.
  • PIPA requires consent for the collection, use, and disclosure of personal information. It is up to the organization to determine whether the form of consent is expressed (written or verbal opt-in) or implied (opt-out or deemed).
  • FIPPA does not contain consent requirements; instead it operates on the principle of appropriate authority and “notification” for collection of information.
Can I share my password with visiting physicians or locums?

Physicians should refrain from sharing their login information with other physicians.

  • Each individual should have their own unique credentials for system access.
  • Login information should never be communicated by email.
  • If login information is received by email from a vendor, the email should be deleted as soon as possible.
Another FAQ coming soon...

New tab content

 

On this page

  • Definitions and resources from the full privacy toolkit document
  • Wording for email and fax disclaimers
  • Key elements for conducting a privacy impact assessment
  • a patient handout and poster
  • a customizable privacy policy template

 

Definitions 

Email Disclaimer 

Fax Disclaimer 

Patient Handout – Privacy of Your Personal Health Information 

Poster – Keeping Your Personal Health Information Private 

Privacy Impact Assessment - Key Elements 

Privacy and Security Resources for Physicians 

Privacy Policy Template 

Website Terms of Use Agreement (CMPA)

What's so great about the new Privacy Toolkit? VIEW VIDEO  5:48

The Information and Privacy Commissioner for BC expects your practice to have a privacy management program that includes training and education.

  • These videos are about 2-4 minutes long and are accompanied by Notes pages which include points discussed.  
  • They can be used individually to explore specific topics.
  • A full video is available for employee orientation and refresher training in your practice. 

Navigating the Toolkit

Video Notes Pages Navigating

Learn where to find:

  • The Privacy Toolkit
  • The Basics (laws, your responsibilities, principles)
  • Guidelines
  • FAQs
  • Forms
  • Tools
  • Videos

Understanding the Law

Video Notes Pages

Learn about the legislative framework in the BC healthcare system.

TOPICS

  • Why privacy laws are needed
  • Why there are different laws
  • What the 10 principles that underlie PIPA are
  • Where to find more resources

Getting Accountability Right

Video Notes Pages

Learn about being accountable

TOPICS

  • What accountability is
  • Why accountability is important
  • How to get started
  • Where to find more resources

(Privacy Principle 1)

What's the Purpose?

Video Notes Pages

Learn about identifying the purpose for personal information

TOPICS

  • Why you need to know the purpose
  • Why "need to know" rules over "nice to know"
  • How to get started
  • Where to find more resources

(Privacy Principle 2)

Types of Consent

Video Notes Pages

Learn about obtaining consent

TOPICS

  • The different types of consent
  • How to get started
  • Where to find more resources

(Privacy Principle 3)

Is it Really Necessary?

Video Notes Pages

Learn about limiting collection of personal information

TOPICS

  • Asking why you need personal information
  • How to get started
  • Where to find more resources

(Privacy Principle 4)

What's the Use?

Video Notes Pages

Learn about limiting use of personal information

TOPICS

  • What you should use personal information for
  • How to get started
  • Where to find more resources

(Privacy Principle 5)

To Tell or Not to Tell ... That is the Question

Video Notes Pages

Learn about limiting disclosure of personal information

TOPICS

  • When it's ok to disclose personal information
  • When it's not ok to disclose personal information
  • How to get started
  • Where to find more resources

(Privacy Principle 5)

How Long is it Kept?

Video Notes Pages

Learn about limiting how long you retain personal information

TOPICS

  • How long personal information should be kept
  • What the purposes are for keeping records
  • How to get started
  • Where to find more resources

(Privacy Principle 5)

Keeping it Accurate

Video Notes Pages

Learn about maintaining accurate personal information

TOPICS

  • Why records need to be maintained accurately
  • How to get started with:
    • Paper records
    • Electronic medical records
  • Where to find more resources

(Privacy Principle 6)

Keeping it Safe

Video Notes Pages

Learn about employing safeguards over personal information

TOPICS

  • What types of safeguards you can use:
    • Administrative
    • Physical
    • Technology
  • Why periodic reviews are needed
  • How to get started
  • Where to find more resources

(Privacy Principle 7)

Where's the Policy?

Video Notes Pages

Learn about being open and transparent

TOPICS

  • Why you need to be open and transparent
  • How to get started
  • Where to find more resources

(Privacy Principle 8)

Making it Accessible

Video Notes Pages

Learn about providing access to personal information

TOPICS

  • Who is allowed to access what
  • How to get started
  • Where to find more resources

(Privacy Principle 9)

Handling Complaints

Video Notes Pages

Learn about permitting recourse and handling complaints

TOPICS

  • Why someone might complain
  • Why you need to train employees
  • How to get started
  • Where to find more resources

(Privacy Principle 10)

Responding to Breaches

Video Notes Pages

Learn how to respond to a privacy breach

TOPICS

  • What a privacy breach is
  • How to get started
  • The 4 steps for responding to a breach
  • Where to find more resources

Can it be Shared?

Video Notes Pages

Learn when you are allowed to share personal information

TOPICS

  • When you can share personal information
  • How to get started
  • What a privacy impact assessment (PIA) is
  • Where to find more resources

Is Email Safe?

Video Notes Pages

Learn about the risks of using email to communicate personal information

TOPICS

  • What the risks are
  • How to get started
  • Why you should check the email address
  • Where to find more resources

Is Fax Safe?

Video Notes Pages

Learn about the risks of using fax to communicate personal information

TOPICS

  • What the risks are
  • How to get started
  • Why you should check the fax number
  • Where to find more resources

What About Wireless?

Video Notes Pages

Learn about the risks of using wireless to communicate personal information

TOPICS

  • What Wi-Fi is
  • What the risks are
  • How to get started
  • Where to find more resources

 

How Should it be Destroyed?

Video Notes Pages

Learn about how to securely destroy personal information

TOPICS

  • How to safely destroy personal information
  • How to get started
  • Who you can outsource to
  • Where to find more resources

Virtual Healthcare

Video Notes Pages

Learn about keeping personal information safe during virtual healthcare

TOPICS

  • Controls you need to have
    • Organizational
    • Physical
    • Technology
  • Where to find more resources