Step 1. Review governing legislation
To help enhance your understanding of privacy rules:
- Review legislation. See Appendix I to determine which legislation applies to your practice and then familiarize yourself with the legislative requirements.
- Review available resources. The Office of the Information and Privacy Commissioner of Alberta’s website (www.oipc.ab.ca) contains comprehensive information about privacy legislation. Other online resources include:
- Personal Information Protection Act (PIPA) - legislation, additional information and resources are available at www.servicealberta.ca/pipa
- Freedom of Information and Protection of Privacy Act (FOIP) - legislation, FOIP guidelines and additional resources are available at www.servicealberta.ca/foip
- Health Information Act (HIA) - legislation is available from Alberta Queen’s Printer at www.qp.gov. ab.ca. The Health Information - A Personal Matter - A Practical Guide to the Health Information Act, the Health Information Act Guidelines and Practices Manual and Highlights from Alberta’s Health Information Amendment Act provide additional information about the Act.
- Personal Information Protection and Electronic Documents Act (PIPEDA) - legislation and awareness tools (questions and answers, glossary, poster and brochures) are available at www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda.
- Other resources:
- Service Alberta PIPA Help Desk 780.427.5848 (for toll-free dial 310.0000 ﬁrst)
- Service Alberta HIA Help Desk 780.427.8089 (for toll-free dial 310.0000 ﬁrst)
- Service Alberta FOIP Help Desk 780.427.5848 (for toll-free dial 310.0000 ﬁrst)
- Office of the Information and Privacy Commissioner of Alberta 780.422.6860 or 1.888.878.4044
- Office of the Privacy Commissioner of Canada 1.800.282.1376
Step 2. Create inventory of personal information in your practice
Identify the personal information currently collected, used, stored and disclosed about patients, employees or third-party individuals to create the inventory. (See Appendix II for a worksheet to help with this exercise.) You can categorize collected personal information into four groups:
- Name (may also be considered health information under HIA)
- Home address, home phone number, email address and other contact information (may also be considered health information under HIA)
- Family information
- Emergency contact person
- Age or date of birth
- Health history
- Examination results
- Health services provided to/received by patient, including copies of charts prepared by other health providers
- Prognosis or other opinions formed during assessment or treatment
- Attendance records and adherence with treatment
- Reasons for discharge and discharge plan
- WCB and insurance reports (may also contain contact and financial information)
- Alberta health-care information/insurance beneﬁt coverage
- Employer name
- Section B motor vehicle insurance information
- WCB claim number
- Credit card number and expiry date
- Bank account number
Employee information – applies to employees, contractors, students or volunteers
- Name, address and personal contact information
- Application or resume
- Performance reviews/evaluations
- Reference letters
- Salary information
- Leave of absence information (e.g., disability or maternity)
These lists of personal information are not exhaustive as the type of information that may be categorized as “personal information” under privacy legislation is very broad. When completing an inventory, identifying the category of personal information will help you understand why the information is being collected, for what purposes it may be used and disclosed, and the level of sensitivity of the information.
Once an inventory has been completed, it is important to identify the privacy legislation that applies to a particular piece of personal information. This will help you determine what consent requirements must be met in relation to the handling of that information (including the form of consent and whether an exception to consent applies).
It is also important to identify any third-party consultants/contractors who may have access to the personal information because of their work with you. You may be responsible for ensuring that they comply with privacy legislation, and your expectations for them to do so should be outlined in writing and communicated to them.
If during the creation of your inventory, you ﬁnd you are collecting personal information that is not required for your primary function as a physiotherapist or employer, consider revising your collection practices to prevent the collection of similar information in the future.
Step 3. Appoint a privacy officer
The privacy officer is accountable for the organization’s overall compliance with applicable privacy legislation and must have the authority to exercise this role. The officer does not have to be a physiotherapist. They could be a support worker or member of your administrative team—you do not need to hire externally to ﬁll this role.
Determine if there is someone suitable in your office and delegate authority to oversee the privacy plan and authority to resolve privacy issues/concerns. Your privacy officer’s name must be clearly identiﬁed and made known to patients and employees.
The privacy officer:
- Oversees the development of privacy policies and procedures.
- Ensures that:
- Appropriate forms are used to obtain consent for information collection, retention and disclosure.
- Safeguards are in place to protect personal information.
- Contracts are in place and third-party service providers protect the privacy of personal information.
- Responds to questions/concerns regarding the protection of personal information.
- Liaises with external groups.
- Processes privacy related complaints.
Create a written policy identifying your information management strategies once you have determined the rules regarding what information should be collected, used, stored, and disclosed.
Principles that should be communicated to patients and employees in a policy include that:
- Their privacy is valued.
- There is a commitment to protect their personal information.
- The collection, use, storage, and disclosure of their personal information is limited to that which is reasonable to achieve the purposes of providing physiotherapy treatment or relates to their employment.
- Information is only disclosed to third parties for the speciﬁc purposes identiﬁed, with their express consent or as otherwise permitted by law.
- Physical, technical and administrative safeguards are in place to secure their personal information.
- There is a mechanism to access their personal information and changes to inaccurate information will be considered.
- A privacy officer is available to address questions/concerns regarding privacy policies and procedures (and include their business contact information in your policy).
- The organization is committed to adhering to all applicable provincial and federal privacy legislation. In the event the individual does not believe the organization has done so, a complaint or request for review may be made to the Privacy Commissioner’s office.
Step 5. Limit information collection
Legislation requires you collect only the information needed to provide physiotherapy services to patients and facilitate the processes necessary to complete transactions (e.g., direct billing). Consider information currently collected and ensure it directly relates to the provision of physiotherapy. If not, stop collecting it.
Consider the sensitivity of the information collected and ensure the collection purpose is expressly stated on all your collection forms. Collect personal information directly from the individual in question unless they consent to you obtaining it from another source.
Step 6. Provide for express consent
The concept of obtaining informed consent before providing physiotherapy services is not new. However, the concept of obtaining consent for the collection, use and disclosure of information may be. The general rule of all privacy legislation is that consent is required for the collection, use, storage and disclosure of personal information. While the mandatory form of consent can vary (e.g., some legislation authorizes verbal consent while other legislation requires written), you can ensure compliance by obtaining written informed consent from patients.
There may be some exceptions to the general requirement of consent, meaning in certain circumstances personal information can be collected, used or disclosed without consent. A review of all the exceptions contained in the legislation is beyond this guide’s scope. For advice on speciﬁc situations, please contact your legal advisor or review the documents referenced under Step 1 - Review Governing Legislation.
Forms of consent
The form of consent required varies by the applicable legislation. For example, in circumstances where consent is required and is being collected to enable disclosure of individually identifying health information under HIA, consent must be provided in writing or electronically and contain certain information like the purpose for which the health information may be disclosed. In contrast, consent under PIPA may be provided in writing or verbally. If accepting verbal consent for disclosure of information under PIPA, physiotherapists are advised to document in the patient or employee record that consent was sought and received.
The following are some consent form recommendations:
- Form of consent if governed by PIPA - Verbal consent for the collection, use, and disclosure of information is sufficient to ensure PIPA compliance. However, written consent is always prudent as it is difficult to prove verbal consent later. Consider including a provision on existing treatment consent forms that would satisfy this requirement. For example:
You can provide patients with a copy of your policy or a means of accessing it to help ensure they are aware of what information is being collected, how it is being used and stored, and to whom it is being disclosed.
- Form of consent if governed by HIA - HIA requirements are more onerous if information is being disclosed outside the “circle of care” (deﬁned as health-care professionals who provide treatment to a patient receiving physiotherapy from you). Information can be provided to circle of care providers without speciﬁcally obtaining patient consent. Outside that circle, however (e.g., to a lawyer or third-party insurer), HIA requires speciﬁc written or electronic consent. Have your patient sign a consent form at the time disclosure is made—see Appendix IV for a sample consent form.
Step 7. Safeguard personal information
Contact, health, and ﬁnancial information are considered sensitive by most individuals. Appropriate safeguards must be in place to prevent unintended or unauthorized access to or loss of this information. Safeguards include:
- Keeping records in places that only authorized individuals can access.
- Locking cabinets and offices containing personal information and not leaving them unattended during business hours.
- For computer ﬁles - using passwords, encryption, antivirus and ﬁrewalls, and keeping software current (i.e., updates and patches).
- Preventing unauthorized viewing of computer screens and using a password-protected screen saver.
- Not discussing conﬁdential information over the phone or when it could be overheard.
- Shredding paper records and completely expunging files from computer hard drives.
- Conﬁdentiality oaths for staff and/or conﬁdentiality clauses in employment contracts.
Ensure service providers also follow your privacy policies
You are responsible to ensure the personal information in your custody is handled in accordance with the applicable privacy legislation. You may be asked to disclose personal information to a third-party, or you may choose to contract services out to third parties (e.g., electronic medical record software providers, information technology specialists, accountants, etc.).
When hiring/retaining third-party service providers, ensure they know the personal information in your custody is governed by privacy legislation and that they too must protect the information’s conﬁdentiality. You can do this via a written and signed privacy agreement (see Appendix V for a sample agreement) or by inserting provisions of the agreement into third-party contracts. Keep in mind that contracting out services to others does not alter your responsibility to maintain the privacy of personal information that is in your custody.
PIPA also requires notiﬁcation of individuals when their personal information is stored or accessed outside of Canada. If PIPA applies in your practice, ensure that you have policies and procedures in place to deal with these obligations.
As of 2018, PIPA, HIA and PIPEDA all have mandatory breach reporting requirements in force. For PIPA and HIA, custodians are required to notify the Office of the Information and Privacy Commissioner of Alberta and the individual(s) affected in the event of a breach of personal information involving a “real risk of signiﬁcant harm.” If a breach of information governed by PIPEDA occurs, custodians are required to notify the Office of the Privacy Commissioner of Canada and the individual(s) affected if the breach of personal information involves a “real risk of signiﬁcant harm.”
Additional information about breach reporting under the HIA can be found in Chapter 14 of the Health Information Act Guidelines and Practices Manual.
Step 8. Train staff in privacy legislation intent and requirements
Step 9. Ensure information on ﬁle is current, complete and accurate
Staff should make reasonable efforts to ensure the currency, completeness and accuracy of personal information being collected, used or disclosed. This includes information regarding the current medical status of patients.
Step 10. Identify processes to access and change information on ﬁle
Patients and those acting on the patient’s behalf may request access to their records at any time. PIPA, HIA and FOIP all have established, legislated time limits for responding to access requests. HIA and FOIP have also established legislated fee schedules for charges that may be collected for providing access to copies of records. Ensure patients understand the processes and fees for accessing personal information in your custody.
When responding to access to information requests ensure that personal information about another person (provided in conﬁdence by someone other than the person requesting access) is not inadvertently disclosed.
If patients request a change to their information, determine if the information on ﬁle is factually correct. While incorrect facts/details should be amended, changing a professional opinion because a patient disagrees is not required or appropriate.
Document the change request in the patient’s ﬁle. If the request is unwarranted, consider seeking advice (from Physiotherapy Alberta, the Office of the Information and Privacy Commissioner, etc.) to ensure the appropriate processes are followed. If patients express concern or dissatisfaction regarding a failed change request explain that they can make a written complaint to your privacy officer or to the Office of the Information and Privacy Commissioner of Alberta (see contact information under Step 1).
Step 11. Establish and communicate process for handling privacy related concerns
To ensure an open process for handling privacy related concerns:
- Identify the privacy officer as the complaints investigator.
- Ensure a conﬁdential complaints process.
- Consider concerns objectively.
- Respond to concerns in the manner they were expressed (e.g., if submitted in writing, respond in writing).
- Seek an informal resolution wherever reasonably possible. For example, if an individual believes too much of their personal information is being collected, determine whether the information is actually needed. If it is not needed it can be destroyed, and the individual can be reassured that this step has taken place. If a concern remains unresolved, the individual may be directed to the Office of the Information and Privacy Commissioner.
- Document steps taken to address concerns.
- Adjust privacy policies and practices to minimize future concerns.
Step 12. Review and update privacy policies and forms regularly
Privacy legislation continues to evolve. Review your policies and practices regularly to ensure compliance with any changes and determine if your systems and processes meet your policy objectives and legislative responsibilities.
Step 13. Implement systems for personal employee information
While steps one to 12 focus on information related to patients, PIPA also applies to employees’ personal information. Therefore, physiotherapists employing staff (e.g., assistants, administrative personnel or other physiotherapists) must also ensure the collection, use and disclosure of personal employee information complies with legislation.
PIPA deﬁnes personal employee information as:
“… in respect of an individual who is a potential, current or former employee of an organization, personal information reasonably required by the organization for the purposes of
- establishing, managing or terminating an employment or volunteer-work relationship, or
- managing a post-employment or post-volunteer-work relationship
between the organization and the individual, but does not include personal information about the individual that is unrelated to that relationship.”
Collection, use and disclosure of personal employee information
The general rule is that the information can be collected, used or disclosed by an organization without the consent of an individual if the individual is or was an employee or volunteer of the organization and:
- The collection, use or disclosure is reasonable for the purpose for which it was collected, used or disclosed.
- For current employees or current volunteers, the personal employee information includes only personal information related to establishing, managing or terminating that individual’s employment or volunteer relationship.
- For former employees or former volunteers, the personal employee information includes only information related to managing the post-employment or post-volunteer relationship.
- For current employees or current volunteers, before collecting, using or disclosing the information, employees and volunteers are notiﬁed of the collection, use and disclosure and its purpose.
Access to employees’ personal information
The rules regarding access to information also apply to personal employee information. Therefore, advise employees that they can access their information in the practice’s custody/control.