To find a question you need an answer to, press Crtl-F on your keyboard and enter a keyword. For example, if you are looking for information about how to respond to a privacy breach, enter the word breach and press the enter key.
- How can a patient request access to their personal information?
-
The patient can complete and send you the Patient Request for Access to Personal Information 
form.
- How can a personal representative of a deceased patient request access to their loved one’s medical records?
-
Under Section 3 of the PIPA Regulations, the “personal representative of the individual at the time of the individual’s death or, if there is no personal representative, the nearest relative” may exercise access rights of the deceased individual and give or refuse consent to the collection ,use and disclosure of personal information of the deceased.
The personal representative can complete and send you the Patient Request for Access to Personal Information form. A physician is obligated to provide a copy of records when provided with a written, dated authorization form.
- How much can I charge for providing access to a patient’s medical records?
-
PIPA permits a physician to charge a “minimal fee” for access to a patient’s medical records. Providing copies of relevant information contained in a medical record and/or forwarding a file to another physician should be done promptly and never be delayed pending payment of the “minimal fee”. Physicians should be mindful of the patient’s economic circumstances when charging this fee.
The Office of the Information and Privacy Commissioner for BC interprets “minimal fee” to be a “nominal fee”.
For more information from the College of Physicians and Surgeons of BC, see Medical Records.
- What is required to provide patient information to law enforcement agencies?
-
While it is not mandatory, PIPA permits the disclosure of personal information to a law enforcement agency to assist in an investigation (or the decision to undertake an investigation) to determine whether the offence has taken place or to prepare for the laying of a charge or prosecution of the offense in Section 18 (j).
For more information from the College of Physicians and Surgeons of BC, see Disclosure of Patient Information.
- What should I do if I accidentally mail something to the wrong address?
-
When the mistaken recipient contacts you, ask them if they opened the envelope. If they did not open it, ask them to mark it as “Return to Sender” and put it in the mail. Once it is received:
- Examine the envelope to ensure it was not tampered with.
- Open the envelope and remove the contents, discarding the old envelope.
- Place the contents in a new envelope addressed to the correct recipient and put it in the mail.
If they did open it, ask them to shred the contents and confirm when that has been done. Once they have confirmed destruction:
- Prepare an apology letter that includes the following:
- This correspondence containing personal and confidential information was sent to an unintended recipient.
- We value the privacy and security of your information and have asked the recipient to confirm secure destruction of the information.
- We do not believe your confidential information has been compromised but are obligated to advise you of this error. If you are concerned about your personal information being compromised, you can contact credit reporting agencies to set up a credit watch (e.g., Equifax or TransUnion).
- You have to option to file a formal complaint with the Office of the Information and Privacy Commissioner for BC. The contact information can be found at https://www.oipc.bc.ca/about/contact-us/.
- We apologize for any inconvenience this error has caused. If you have any questions or concerns, please feel free to contact me or send an email to our privacy officer at <provide email address here>.
- Prepare the original correspondence again.
- Place the contents in an envelope addressed to the correct recipient.
- What should I do if I accidentally send a fax to the wrong number?
-
When the mistaken recipient contacts you, ask them to immediately shred the faxed documents.
Once they have confirmed destruction:
- Prepare an apology letter that includes the following:
- This fax containing personal and confidential information was sent to an unintended recipient.
- We value the privacy and security of your information and have asked the recipient to confirm secure destruction of the information.
- We do not believe your confidential information has been compromised but are obligated to advise you of this error. If you are concerned about your personal information being compromised, you can contact credit reporting agencies to set up a credit watch (e.g., Equifax or TransUnion).
- You have to option to file a formal complaint with the Office of the Information and Privacy Commissioner for BC. The contact information can be found at https://www.oipc.bc.ca/about/contact-us/.
- We apologize for any inconvenience this error has caused. If you have any questions or concerns, please feel free to contact me or send an email to our privacy officer at <provide email address here>.
- Prepare the fax cover page again and add 1 page to the total number of pages.
- Fax the documents and apology letter to the correct recipient.
Check to ensure you have a fax disclaimer set up so that all outgoing faxes include the disclaimer. See Fax Disclaimer Template .
- What should I do if I accidentally send an email to the wrong person?
-
Send an email to the mistaken recipient asking them to:
- Permanently delete the email from your email folders,
- Permanently delete the email from the server of your email provider,
- Permanently delete any electronic copies you may have saved,
- Shred any copies you may have printed and
- Confirm by return email once these steps have been completed.
Send the email to the correct recipient and with an apology that includes the following:
- This email containing personal and confidential information was sent to an unintended recipient.
- List the types of sensitive information that was mistakenly disclosed (e.g., name, gender, age, Care Card number, home address, phone number, email address, medical information).
- We value the privacy and security of your information and have taken the following steps:
- Asked the recipient to confirm permanent deletion and secure destruction of the information.
- Reviewed our procedures to prevent this from occurring in the future.
- Communicated those procedures to staff.
- We do not believe your confidential information has been compromised but are obligated to advise you of this error. If you are concerned about your personal information being compromised, you can contact credit reporting agencies to set up a credit watch (e.g., Equifax or TransUnion).
- You have to option to file a formal complaint with the Office of the Information and Privacy Commissioner for BC. The contact information can be found at https://www.oipc.bc.ca/about/contact-us/.
- We apologize for any inconvenience this error has caused. If you have any questions or concerns, please feel free to contact me or send an email to our privacy officer at <provide email address here>.
Check to ensure you have an email disclaimer set up so that all outgoing email includes the disclaimer. See Email Disclaimer Template .
- How can a patient request a correction to their personal information?
-
The patient can complete and send you the Patient Request to Correct Personal Information form.
- What internal controls can be put in place to ensure accuracy?
-
There are several internal controls in place such as:
- Programmed edits to ensure correct format
- Manual quality control checks by someone other than the person doing data entry
- External audits
- Internal reviews and audits
- Interaction with external parties
- Segregation of duties
- Reconciliations
- What is a privacy breach and what needs to be done if it happens?
-
A privacy breach occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information. The most common privacy breach happens when personal information of members, non-members or employees is stolen, lost or accidentally disclosed. There are two different kinds of breaches:
- Accidental
- Sending an email to the wrong email address
- Sending a fax to the wrong number
- Backup lost in transit (same problem can happen with CDs)
- Policy violation due to lack of training
- Janitors remove paper records that were not locked up
- Criminal
- Hacking
- Stolen laptop
- Stolen backup
- Dishonest employee
- Unauthorized intrusion into systems
- Debit machine thieves
If you know or suspect a breach has occurred, immediately notify your Privacy Officer. Depending on the scope of the breach, they may contact the Office of the Information and Privacy Commissioner for BC. The contact information can be found at
https://www.oipc.bc.ca/about/contact-us/.
For more information from the Office of the Information and Privacy Commissioner for BC, see Privacy Breaches: Tools and Resources.
- What are the safest ways to collect personal information?
-
Patient information should be collected on a standard form.
If collecting information verbally, ensure you are in a private place where no one else can hear.
Whenever possible, you should employ the following methods of receiving information:
- Secure File Transfer Protocol (SFTP) - Secure transfer of files over the internet
- Transport Layer Security (TLS) - Secure email communications between the Doctors of BC and other organizations
- Virtual Private Network (VPN) - Secure, private tunnel between two or more devices across a public network
Less secure methods include:
- Compact disk via mail or courier where there are risks of loss in transit. If this method must be used, files must be encrypted and/or password protected, even if the CD is hand-delivered
- Email where there are risks of misdirection or redistribution. If this method must be used, files must be encrypted and/or password protected
- Paper
- Can I obtain consent to correspond electronically with a patient?
-
Please refer to the Canadian Medical Protective Association (CMPA) for Consent to Use Electronic Communications.
- Is consent required if photos are taken and will be used in a presentation?
-
It depends.
If it is in a business setting and the only people being photographed are involved in the project then consent is not required. If there are any other people whose photos may be included (such as patient) then consent in writing is required.
- Can I disclose medical records to anyone outside my practice?
-
Please refer to the College of Physicians and Surgeons of BC Medical Records guidelines.
- How should records in paper format be disposed of?
-
Paper records can be disposed of by:
- Cross-cut shredding
- Incinerating
- Outsourcing to a shredding company as long as you have a contract with them that covers security, privacy and confidentiality
When destroying information, a Certificate of Destruction 
should be completed.
- How should data on portable media (CD/DVD/USB) be disposed of?
-
Data on portable media can be disposed of by:
- Cross-cut shredding
- Degaussing
- Grinding
- Incinerating
- Sanitizing overwrites
- Selective wipes
- Outsourcing to a service provider as long as you have a contract with them that covers security, privacy and confidentiality
When destroying information, a Certificate of Destruction should be completed.
- How should data on computers and servers (desktop, personal computer, laptop or file server) be disposed of?
-
Data on computers and servers can be disposed of by:
- Degaussing
- Grinding
- Incinerating
- Sanitizing overwrites
- Selective wipes
- Shredding
- Outsourcing to a service provider as long as you have a contract with them that covers security, privacy and confidentiality
When destroying information, a Certificate of Destruction should be completed.
- How should data on backup systems and media be disposed of?
-
Data on backup systems and media can be disposed of by:
- Cross-cut shredding
- Degaussing
- Grinding
- Incinerating
- Sanitizing overwrites
- Selective wipes
- Outsourcing to a service provider as long as you have a contract with them that covers security, privacy and confidentiality
When destroying information, a Certificate of Destruction should be completed.
- What if a patient asks us to send them an email to an email address we do not have on record?
-
If they are asking by email:
- Contact them by phone to ensure the request was made by them
- Reconfirm their email address
- Enter the email address into your system for future use
- Place a notation on the record that consent was given by email (specify the date and time)
If they are asking by phone:
- Be sure to verify their identity (See “Identification” below)
- Obtain their email address
- Enter the email address into your system for future use
- Place a notation on the record that consent was given over the phone (specify the date and time)
If they are asking in person:
- Obtain their email address while in a private place
- Enter the email address into your system for future use
- Place a notation on the record that consent was given in person (specify the date and time)
- Can I use a shared fax machine with the big box store in which my practice is located?
-
Physicians are discouraged from using shared fax equipment as control over access to patient data cannot be ensured. For more information, see Guidelines for Use of Email or Fax .
- Is it safe to leave paper files unattended in the office?
-
No.
This should never be done as they could at risk of unauthorized access or theft.
- Is it safe to save files on the C:\ drive on your desktop?
-
No.
This should never be done as the files will not be backed up and there is potential that they could at risk of unauthorized access or computer theft after-hours.
- Is there a standard set of questions to ask when verifying someone's identity over the phone?
-
You can ask for 2-3 pieces of information that only the person would know. Do not provide the information and ask for confirmation. Instead, ask questions like:
- What is your Care Card number?
- What is your cell phone number?
- What is your home address?
- What is your home phone number?
- What is your middle name?
- What is your work phone number?
- When did you see the doctor last?
- When did you have your last blood test?
- What is your birth date?
Keep in mind that someone impersonating a patient may already know much of this information.
- When is it appropriate to provide your Social Insurance Number (SIN)?
-
Your SIN is the authorized number for income tax purposes under section 237 of the Income Tax Act and is used under certain federal programs. You have to give it to anyone who prepares an information slip (such as a T3, T4, or T5 slip) for you. Each time you do not give your SIN when you are supposed to, you may have to pay a penalty. You also have to give it to the Canada Revenue Agency (CRA) when you ask for personal tax information. If your SIN is missing or incorrect on your slips, advise your slip preparer (employer, issuer, or administrator of your information slip). Your SIN card is not a piece of identification, and it should be kept in a safe place. If you are asked to provide your SIN in any other circumstances, you should refuse and advise the:
- Privacy Officer for the company asking for the information
- Office of the Information and Privacy Commissioner for BC
- How does someone challenge our compliance with privacy legislation?
-
Anyone can contact your privacy officer in writing, in person, by email or by phone with their concerns. Under PIPA, a response is required within 30 days. Their contact information should be published on your website or in your office. If they are not satisfied with your response, they can make a compliant to the Office of the Information and Privacy Commissioner for BC. The contact information can be found at https://www.oipc.bc.ca/about/contact-us/.
- Can you remotely scrub a mobile device if it is lost or stolen?
-
It depends.
Some devices can be disabled and/or scrubbed remotely.
If a portable device is lost or stolen, it should be immediately reported to:
- The service provider who can suspend the service
- The Police
- Your privacy officer
- Your IT support
- How safe is it to save files on a USB key?
-
It depends on whether it is encrypted.
USB keys are small and are easy to lose. The best practice is to never put sensitive information on a USB key. If files have to be saved to a USB key, they must be encrypted and/or password protected.
- What is personal information?
-
Information, including Personal Health Information, about an identifiable individual which includes factual or subjective information about that individual. This information includes, but is not limited to, name, personal address, birth date, physical description, medical history, gender, education, employment and visual images such as photographs or videotapes.
- What safeguards over personal information can be put in place?
-
Organizational safeguards such as:
- Confidentiality and data sharing agreements
- Destruction of documents and data
- Locked bins for confidential information to be shredded
- New employee orientations
- Policies, procedures and guidelines
- Refresher training
- Scanning documents
Physical safeguards such as:
- Alarms after hours
- Keeping equipment out of site (e.g., files or laptop in the trunk)
- Locked filing cabinets, cupboards and desk drawers
- Restricted access to patient files
- Smoke detectors
Technological safeguards such as :
- Automatic keyboard time-out
- Encrypting cell phones, laptops, USBs
- Locking the keyboard when stepping away from the computer
- Mobile phone password lock
- Password protecting files
- Role-based security access based on need to know
- Transport Layer Security for transmission of files between organizations
- Usernames and passwords
- Can I contract with a third party outside Canada for appointment and recall services?
-
Physicians are discouraged from letting personal information of patients leave Canada, even though there is no requirement under PIPA.
If you do want to use a service provider that is outside Canada, you can obtain consent from the patient to use their email address for appointment and recall services. You should ensure that no additional personal information is included in the emails such as name, Care Card number, medical conditions). For example, a recall message might say “Our records indicate you are due for a medical visit. Please contact our office to make an appointment.”
The Canadian Medical Protective Association (CMPA) does not condone use of non-Canadian-based service providers when personal information is involved.
- Can I contract with a third party outside Canada for transcription services?
-
Physicians are discouraged from letting personal information of patients leave Canada, even though there is no requirement under PIPA.
If you do want to use a service provider that is outside Canada, you can anonymize the data (by using initials instead of name or by using an ID number that is not associated with their government-issued IDs). Then the data being transcribed cannot be tied to an individual by the third party.
The Canadian Medical Protective Association (CMPA) does not condone use of non-Canadian-based service providers when personal information is involved.
- Can I grant remote access to a third party outside Canada for transcription services?
-
Physicians are discouraged from granting access to patients’ data in their EMR systems as the control over the information is compromised and risk of a breach is high.
If you have a third party confidentiality agreement for the services and can provide
- a unique user ID and password
- role-based access to patient information based on “need to know”
- appropriate encryption levels
- audit trails to track when a patient record is accessed and by whom, including date and time
- forced password changes at regular intervals
- password protected screen saver or auto logout after a period of inactivity
These safeguards are difficult to accomplish with a third party.
The Canadian Medical Protective Association (CMPA) does not condone use of non-Canadian-based service providers when personal information is involved.
- Can I use cloud-based services in my medical practice?
-
Some cloud-based services such as Google Cloud print and Microsoft Office 365 store data on servers in the U.S. Physicians are discouraged from letting personal information of patients leave Canada, even though there is no requirement under PIPA.
Some cloud-based services may store data on servers in Canada. Questions you can ask potential cloud providers are:
- Geographically, where will the data be stored and if in Canada, what is the proof?
- Has the provider been involved in findings under the EDA, FOIPPA, PIPA, PIPEDA?
- What security measures are in place to protect data, both physically and digitally?
- Who will have access to the data?
- What happens to the data once the contract with the provider is terminated?
- Is data backed up regularly off-site and if so, where?
The Canadian Medical Protective Association (CMPA) does not condone use of non-Canadian-based service providers when personal information is involved.
- How can we make third parties accountable for protecting confidential information shared with them?
-
Ensure you have a Confidentiality and Data Sharing Agreement in place.
- What are the safest ways to transmit personal information?
-
Whenever possible, employ the following methods of transmitting information:
- Secure File Transfer Protocol (SFTP) - Secure transfer of files over the internet
- Transport Layer Security (TLS) - Secure email communications between the Doctors of BC and other organizations
- Virtual Private Network (VPN) - Secure, private tunnel between two or more devices across a public network
Less secure methods include:
- Compact Disk via mail or courier where there are risks of loss in transit. If this method must be used, files must be encrypted and/or password protected, even if the CD is hand delivered.
- Email where there are risks of misdirection or redistribution. If this method must be used, files must be encrypted and/or password protected.
- Paper
- I’ve opened a new rural practice in Smalltown, BC and will take over patient care from the Health Authority (HA). Will those patients’ medical records be subject to FIPPA or PIPA once I take over, and what considerations will affect how I can access the medical records?
-
It is a complex issue and needs to be dealt with on a case by case basis. The HA is governed by FIPPA and the physician’s office is governed by PIPA. The legislation is not united, so it helps to look at it from the point of view of “who has custody or control of the medical records”, “who has liability if the records are not adequately protected”, and “who is most likely going to get sued”? If it is determined that FIPPA applies, s. 3(2)(d) of PIPA states that PIPA will not apply. Legal custody and control is relevant because of the legislation.
There are many considerations that can affect how medical records will be accessed. For example:
- Whose patient is it?
- Who will have custody and control of the medical records?
- Does the patient need to provide consent for your office to provide care?
- How can continuity of care be ensured?
- What are the patient’s expectations with respect to how their personal information should be handled?
- Will your office be within the HA or in a different location?
- Will you be using an Electronic Medical Records system?
- Will you require copies of all patient records and work independently of the HA?
- Will you work collaboratively on patient care with the HA so that information will flow in both directions?
- If you are working collaboratively on patient care with the HA, are you privileged or credentialed with that HA?
- Will medical records remain on the HA’s Electronic Health Records system?
- Can I access my family or friend’s medical records?
-
No.
Physicians and their staff are not allowed to access these records unless the practice is providing care.
- What’s the difference between FIPPA and PIPA legislation?
-
Physicians who are working in a physician’s office but are also providing services to a public health organization will generally be governed by
- PIPA with respect to the personal information collected, used and disclosed by the private office
- FIPPA with respect to the personal information they collect, use and disclose in their capacity as physicians for the public health organization
There are some notable differences between PIPA and FIPPA:
- PIPA does not include the FIPPA provisions regarding storage and access to personal information from outside Canada. As long as privacy is contractually protected, data can be stored or accessed from outside Canada.
- PIPA requires consent for the collection, use, and disclosure of personal information. It is up to the organization to determine whether the form of consent is expressed (written or verbal opt-in) or implied (opt-out or deemed).
- FIPPA does not contain consent requirements; instead it operates on the principle of appropriate authority and “notification” for collection of information.
- Can I share my password with visiting physicians or locums?
-
Physicians should refrain from sharing their login information with other physicians.
- Each individual should have their own unique credentials for system access.
- Login information should never be communicated by email.
- If login information is received by email from a vendor, the email should be deleted as soon as possible.
- Another FAQ coming soon...
-
New tab content
3:32