You’re an allied health clinic operating in British Columbia, but what do you actually need to do in your clinic to comply with these laws?
Which Privacy Laws for Health Records Apply in BC?
BC is a province that has passed legislation (PIPA BC Personal Information Protection Act), deemed to be “Substantially Similar” to Canada’s federal law: Personal Information Protection and Electronic Document Act (PIPEDA).
Thus, in BC, private-sector businesses conducting commercial transactions - including all disciplines of allied health clinics and solo practitioners - must handle personal information in accordance with PIPA BC.
What defines personal information? Personal information is any recorded information or data that can identify an individual (name, address, phone number, ID number) and any information that is about an identifiable individual (physical description, education, blood type).
PIPA allows for this kind of information to be collected, used and disclosed for “reasonable purposes” - for a purpose that any reasonable individual would think was appropriate.
Legal fact: Allied health clinics in BC are required to follow PIPA BC (which is deemed “Substantially Similar” to Canada’s federal legislation PIPEDA. But there are two circumstances in which the federal PIPEDA would apply within BC. First, PIPEDA applies to all federally-regulated businesses (or in the case where an allied health professional is practicing under a public-sector entity, say a police force.) Second, PIPEDA may apply to a BC-based allied health professional when the personal information of residents from other provinces is at stake.
How Do BC Clinics Meet Legal Privacy Obligations?
1) Develop procedures & appoint a Compliance Officer
The law requires that you have procedures in place to receive and appropriately respond to inquiries about your collection, use and disclosure of personal information. This includes the requirement to choose and publicly announce the person in your practice who is responsible for compliance with PIPA. You must make the person’s name and professional contact information publicly available.
The law also requires clinics to be in control of personal information, even if it is not in their custody. For instance, a clinic’s contract with a service provider that stores personal information should clarify that the information is still in the control of the organization who collected the information.
2) Obtain consent to collect information
You need consent before you collect, use, or disclose personal information. And once you have consent, you need to be able to demonstrate that collection, use, and disclosure will be for purposes any reasonable individual would agree with. That means you cannot require an individual to consent to disclosing personal information that is beyond what is necessary to provide your service.
There are a few rules around obtaining consent:
You need to first establish and document the reasonable purpose for the collection, use and/or disclosure of information. The personal information you collect must not merely be convenient - it must be integral to you providing your service.
Once you have a reasonable purpose, you must notify the individual of that purpose.
Next, the person is able to provide consent.
There are a few types of consent:
Express consent - with full knowledge of the purpose, a person willingly agrees to give personal information
Deemed consent - no express consent given, but an individual volunteers information for a reasonable purpose
Opt-out consent - consent by not declining to give consent within a reasonable given time frame. An individual, for instance, is given the opportunity to mark a check box opting them out of information collection, but the individual leaves the check box blank. By leaving the check box blank the individual has given consent. But your organization still needs to provide clearly understandable explanation for the collection of this information.
3) Collect information carefully
Once you have consent, you may go about collecting the information that is integral to you providing your service. But the law advises that you limit the amount of information collected. The best way to do this is to start by clearly identifying and documenting your purposes for collection. Try to be as specific as possible.
In cases where individuals provide unrelated or irrelevant information, you are responsible for NOT recording that information.
PIPA allows for the collection of information in certain cases where the individual cannot give consent first. For example, if a medical professional must collect personal information for the treatment of an individual that is not able to give consent.
Prior to 2004: PIPA does not apply to information collected by your organization before 2004. Therefore, you do not need to go back to individuals for whom you collected information before 2004 and get their consent.
4) Limit the use of personal information
Definition: “Using” personal information (which is different from disclosing) is the viewing, interpreting or otherwise using of information internally to carry out your organization’s purpose for collecting the information.
Under PIPA, clinics should limit the use of personal information to that which is required to carry out the purposes of your clinic.
5) Limit disclosure of information & notify
Definition: Disclosing personal information - showing, sending or giving some other organization or individual the personal information in question.
The allowances for disclosing personal information under PIPA are strict. You may disclose only in the following situations:
- as required by a treaty
- as required by a subpoena
- to assist an investigation of an offence under Canadian or provincial law
- to respond to an emergency that threatens the health, safety or life of an individual or the public
- when required to contact next of kin for a diseased or ill individual
- when reasonable for archival purposes of an archival institution
6) Know individual’s rights to access their information
Individuals have the right to access their own personal information, and your organization has the duty to respond to individual requests within 30 business days. Legal representatives for minors may make requests for personal information.
When you respond to a request for personal information, you must inform the person if you actually have their personal information, whether you will give full or partial access to that information, and when and how access to the information will be given. If you refuse to provide requested information, you must inform the person of the reason you refuse access, the name of the person in your organization who can answer questions about this refusal, and you MUST inform the individual that they have the right to at the Commissioner to review your organizations refusal.
Situations where you are REQUIRED to refuse access to personal information:
the information could threaten the safety or physical or mental health of another individual
the information is expected to cause immediate or serious harm to the safety of the individual requesting the information
the information would reveal personal information about another individual
the disclosure would reveal information about a third party that has not provided consent
Situations where you may choose to refuse access to personal information:
correspondence between your organization and legal counsel regarding legal advice for an issue this same individual initiated
when the information would reveal commercial information about your business and harm the competitive position of your organization
when the information was collected for an investigation that has not yet concluded
when the information was collected by a mediator or arbitrator for a court-appointed mediation or arbitration
when the information is subject to a solicitor’s lien.
You may charge a minimal fee for access to the information that covers your cost to produce the record.
7) Correct or alter personal information with care
Your organization is responsible for making sure that personal information is accurate and complete. You must correct information if it is not.
Individuals can request that you make corrections to their information.
8) Protect and store personal information with care
Your organization must use physical, administrative and technical safeguards to protect personal information you collect and that is under your control.
It is considered reasonable that patient records in a medical practice are highly secure.
Examples of safeguards:
Physical: lock file cabinets for historical paper documents, restrict employee access, do not leave records on a desk at the end of the day, shred any printed records instead of put in garbage bin, and position computer monitors to protect personal information.
Technical: use password-protected screensavers that activate automatically after a few minutes, use strong and secure passwords, run anti-virus software if you’re using Windows PCs, make sure to keep your computers/devices patched with the latest patches, turn on encryption on your devices and encrypt information that you store on USB’s, wipe all information from devices before discarding, and don’t write down credit card information on paper or in plain text on computers.
Who enforces PIPA BC?
BC’s privacy laws are upheld and enforced by the Office of Information and Privacy Commissioner of British Columbia OIPC.
OIPC has the power to review any organizations policies and practices regarding access to personal information and can initiate investigations if they feel an organization is not complying with privacy law.
OIPC prefers that all matters of access be handled between the organization and the individual who is requesting access to their records. When there is a discrepancy, OIPC will likely refer the individual back to your organization’s Privacy Officer, therefore, it is highly important that you put procedures in place to deal with these sorts of potential issues.
If you receive a notification from OIPC, you are obligated to respond within 30 business days.
Offences under PIPA:
- Deception or coercion to collect information
- Disposal with the intent to evade a request for access
- Obstructing or misleading an representative of OIPC
- Retaliating against an employee to avoid contravention of PIPA
- Not following and order
Fines are up to $10,000 for individuals and up to $100,000 for organizations
Other Privacy Laws in BC
E-Health BC Personal Health Information Access and Protection of Privacy Act – BC’s privacy law for health records meant to specifically and only apply to government health databases. This law has not been deemed “sufficiently similar” to PIPEDA, thus the only law in BC which allied health records should fall under is PIPA BC. But in practice, many associations and allied health organization are increasingly beginning to follow requirements outlined in this law, particularly, the requirement for Canadian allied health records to ONLY be stored on databases within Canada.
If a clinic or practitioner practices in government or the public sector:
FIPPA BC Freedom of Information and Protection of Privacy Act - for public-sector practices in government, law enforcement, etc.