Understanding privacy legislation is complex and keeping current with legislative changes and provincial and federal rulings can be challenging. The Privacy Guide for Alberta Physiotherapists is designed to provide physiotherapists with both general and practical information on privacy legislation, policies and procedures.

View the Privacy Guide for Alberta Physiotherapists as a PDF.

 

This guide contains information and advice regarding current privacy legislation affecting Alberta physiotherapists and is intended to help physiotherapists comply with that legislation. Physiotherapists are required to comply with privacy legislation regardless of their practice environment.

The Personal Information Protection Act (PIPA) will apply in almost all cases to the personal and employee information collected, used and disclosed by physiotherapists in the private sector. If employed by Alberta Health Services (AHS), a hospital or nursing home, the Health Information Act (HIA) which concerns the collection, use, disclosure and access to health information within Alberta’s publicly funded health system will likely govern the physiotherapy services you provide. If you are not sure which legislation applies, please review Appendix I - Privacy Legislation Applicable to Physiotherapists for further clarification.

Please review this guide in its entirety as it contains important information that is difficult to summarize. That said the guide’s key recommendations are summarized as follows:

Appoint privacy officer

Appoint a person responsible for privacy legislation compliance and access to information requests. The officer should be familiar with concepts in the legislation and in this guide and have the authority to exercise this role.

Develop a privacy policy

If employed by or have a contract with AHS, a hospital or nursing home you may be required to follow a privacy policy already in place. If there is no applicable policy, develop one that addresses your information management strategies to ensure the adequate protection of patient information in your custody.

Obtain consent

The underlying rule of all privacy legislation is —consent is required for collecting, using and disclosing personal information. In most cases, inserting a clause, such as the one below, into your current treatment consent form will be sufficient to comply:

I hereby consent to the collection, use and disclosure of my personal information in accordance with the XYZ Physiotherapy Clinic’s privacy policy. I hereby acknowledge that a copy of the privacy policy was made available to me and I have been advised who to contact if I have any questions about anything contained in the privacy policy.

While this clause will suffice in most circumstances, there is one important exception. If you are employed by or have a contract with AHS, a hospital or nursing home, a more specific form of consent (written or electronic) is required when disclosing information to non-health professionals (e.g., a lawyer, a third-party insurer or the patient’s employer). See Appendix IV on page 22 for a sample consent form that can be used in these circumstances.

Adopt physical, technical and administrative safeguards for personal information

Ensure you adequately protect the personal information in your possession. Keep records in places where only authorized individuals have access and shred old patient files.

Institute processes to facilitate access to personal information

Legislation gives patients the right to access their personal information. Communicate your access process to patients.

 

Understanding privacy legislation is a complex matter and keeping up-to-date with legislative changes and provincial or federal rulings is challenging.

 

In addition to this guide, there are several resources that can provide current information – see Step 1 for details.

Different privacy legislation can apply to a physiotherapist’s practice depending on the circumstances, including the record’s nature and whether the physiotherapy service is privately or publicly funded.

PIPA is the key privacy legislation aff ecting most physiotherapists. Other legislation that can also apply:

  • the HIA,
  • the Freedom of Information and Protection of Privacy Act (FOIP), and
  • the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

While physiotherapists should be aware of the diff erent privacy legislation that can apply, Physiotherapy Alberta recognizes that it is not practical for physiotherapists to design separate systems to address privacy concerns that fluctuate depending on the governing legislation.

Therefore, to help physiotherapists comply with privacy legislation, we have provided a summary of the 10 key privacy principles which all provincial and federal privacy legislation are based on.

Note

This guide’s reference to personal information refers to contact information, health information, financial information, and employee information.

Privacy legislation’s underlying assumption is that an organization may only collect, use or disclose personal information for a purpose that a reasonable person would consider appropriate in the circumstances. Privacy legislation incorporates the following 10 principles:

1. Accountability

Organizations are responsible for the protection of personal information under their control. Each should designate an individual who is accountable for the organization’s compliance with privacy principles.

2. Purpose

The purpose for which the information is being collected must be identifi ed before or during the collection.

3. Consent

Personal information may only be collected, used or disclosed with the knowledge and consent of the individual, with limited exceptions as specified in the legislation.

4. Limiting collection

The information collected is limited to what is necessary for the identifi ed purposes and will be collected by fair and lawful means.

5. Limiting personal information’s use, disclosure and retention 

Personal information must only be used and disclosed for the purpose for which it was collected, except with consent or as required by law. Information can be kept only as long as necessary to fulfill that purpose.

6. Accuracy

Personal information must be as accurate, complete and current as is necessary.

7. Safeguards

Personal information must be protected by adequate safeguards appropriate to the information’s sensitivity.

8. Openness

Information about an organization’s privacy policies and practices must be readily available upon request.

9. Access

Individuals have the right to access their personal information and have a right to seek a correction. Both rights are subject to some exceptions as specifi ed in each statute.

10. Challenging compliance

Organizations must provide a way for individuals to challenge its compliance with the above principles. In Alberta, patients can complain to the Information and Privacy Commissioner if they believe an organization has contravened provincial access and privacy legislation.

To help enhance your understanding of privacy rules:

Review legislation

See Appendix I to determine which legislation applies to your practice and then familiarize yourself with the legislative requirements.

Review available resources

Alberta Privacy Commissioner’s website

The Alberta Privacy Commissioner's website contains comprehensive information about privacy legislation available at www.oipc.ab.ca

Personal Information Protection Act (PIPA)

Legislation, frequently asked questions and A Guide for Businesses and Organizations available at www.servicealberta.ca/pipa/

Freedom of Information and Protection of Privacy Act (FOIP)

Legislation, frequently asked questions and FOIP guidelines and practice available at www.servicealberta.ca/foip/

Health Information Act (HIA)

Legislation is available from Alberta Queen’s Printer. The Health Information - A Personal Matter - A Practical Guide to the Health Information Act, the Health Information Act Guidelines 2011 and Highlights from Alberta’s Health Information Amendment Act are available at www.health.alberta.ca.

Personal Information Protection and Electronic Documents Act (PIPEDA)

Legislation and awareness tools (questions and answers, glossary, poster, and brochures) is available at https://www.priv.gc.ca/en/

Other resources

  • Alberta Government Private Sector Privacy Information Line (PIPA) 780.644.7472 (for toll-free dial 310.0000 first).
  • Alberta Government Health Information Act (HIA) Help Desk 780.427.8089 (for toll-free dial 310.0000 first).
  • Alberta Government FOIP Help Desk 780.427.5848 (for toll-free dial 310.0000 first).
  • Alberta Privacy Commissioner 780.422.6860 or 1.888.878.4044.
  • Federal Privacy Commissioner 1.800.282.1376.

Identify the personal information currently collected, used, stored, and disclosed about patients and employees. You can categorize collected personal information into four groups:

Contact Information

  • name (may also be considered health information under HIA)
  • home address, home phone number and other contact information (may also be considered health information under HIA)
  • family information
  • emergency contact person

Health Information

  • age or date of birth
  • gender
  • health history
  • examination results
  • health services provided to/received by patient, including copies of charts prepared by other health providers
  • prognosis or other opinions formed during assessment or treatment
  • compliance with assessment or treatment
  • reasons for discharge and discharge plan

Financial information

  • Alberta healthcare information/insurance benefit coverage
  • employer name
  • Section B motor vehicle insurance information
  • WCB information
  • credit card number and expiry date
  • bank account number

Employee Information (Applies to employees, contractors, students, or volunteers)

  • name, address and personal contact information
  • application or resume
  • performance reviews/evaluations
  • reference letters
  • salary information
  • leave of absence information (e.g., disability or maternity)

These lists are not exhaustive as the information covered by privacy legislation is very broad. When completing an inventory, identify the personal information for which there is implied or written consent and identify any particularly sensitive information. Also, note any third-party consultants/contractors who may have access because of their work with you. See Appendix II on page 18 for a worksheet to help with your inventory.

If during this early review, you find information being collected that is not required for your primary function as a physiotherapist or employer, cease collecting it.

The privacy officer is accountable for the organization’s overall compliance with applicable privacy legislation and must have the authority to exercise this role. The officer does not have to be a physiotherapist. They could be a support worker or member of your administrative team—you do not need to hire externally to fill this role.

Determine if there is someone suitable in your office; delegate authority to oversee the privacy plan and authority to resolve privacy issues/concerns. Your privacy officer’s name must be clearly identified and made known to patients and employees. The privacy officer oversees the development of privacy policy and procedures and ensures that:

  • Privacy policy is made public to patients and employees.
  • Adequate staff training regarding privacy policy and procedures.
  • Adequate forms are used to obtain consent for information collection, retention and disclosure.
  • Safeguards are in place to protect personal information.
  • Responds to questions/concerns regarding the protection of personal information.
  • Liaises with external groups and ensures third-parties protect the privacy of personal information.
  • Processes privacy related complaints.

Create a written policy identifying your information management strategies once you have determined the rules regarding what information should be collected, used, stored and disclosed.

If employed by AHS, a hospital or nursing home, or another custodian or public body, you may be required to follow a privacy policy already in place. If so, review the policy to ensure it covers the basic principles set out in this guide and that you are compliant.

If working independently/in private practice and no other privacy policy applies, develop one that addresses your information management strategies and ensures the adequate protection of patient information in your custody. Appendix II on page 18 contains a worksheet to help ensure your policy adequately covers the information collected, used, stored and disclosed. Also see Appendix III on page 19 for a sample privacy statement (note that your privacy officer’s name and contact information must be inserted. Your statement should then be displayed and made available to all patients).

Principles that should be communicated to patients and employees in a policy include that:

  • Their privacy is valued.
  • There is a commitment to protect their personal information.
  • The collection, use, storage, and disclosure of their personal information is limited to that which is reasonable to achieve the purposes of providing physiotherapy treatment or relates to their employment.
  • Information is only disclosed to thirdparties for the specifi c purposes identified, with their express consent or as otherwise permitted by law.
  • Physical, technical and administrative safeguards are in place to secure their personal information.
  • There is a mechanism to access their personal information and that changes to inaccurate information will be considered.
  • A privacy officer is available to address questions/concerns regarding the privacy, policies and procedures (and include their business contact information in your policy).
  • There is a process to ensure privacy legislation is being properly enforced.

Legislation requires you collect only the information needed to provide physiotherapy services to patients and facilitate the processes necessary to complete transactions (e.g., direct billing). Consider information currently collected and ensure it directly relates to the provision of physiotherapy. If not, cease collecting it.

Consider the sensitivity of the information collected and ensure the collection purpose is expressly stated on all your collection forms. Also, collect personal information directly from the individual in question unless they consent to you obtaining it from another source.

The concept of obtaining informed consent before providing physiotherapy treatment is not new. However, the concept of obtaining consent for the collection, use and disclosure of information may be. The general rule of all privacy legislation is that consent is required for the collection, use, storage, and disclosure of personal information. While the form of consent can vary (e.g., some legislation authorizes verbal consent while other legislation requires written) you can ensure compliance by obtaining written informed consent from patients.

The general disclosure rule has several exceptions, which means in certain circumstances information can be collected, used or disclosed without consent. A review of all the exceptions contained in the legislation is beyond this guide’s scope. For advice on specific situations, please contact your legal advisor or review the documents referenced under Step 1 - review governing legislation.

Forms of consent

The form of consent required varies on the applicable legislation. HIA requires written or electronic consent which must explicitly state the purpose for which the information is being collected, to whom it may be disclosed and how long the consent remains effective. On the other hand, PIPA and PIPEDA do not require written consent—verbal is acceptable.

The following are some consent form recommendations:

Form of consent if governed by PIPA

Verbal consent for the collection, use and disclosure of information is sufficient to ensure PIPA compliance. However, written consent is always prudent as it is difficult to prove verbal consent later on. Consider including a provision on existing treatment consent forms that would satisfy this requirement. For example:

I hereby consent to the collection, use, storage, and disclosure of my personal information in accordance with the XYZ Physiotherapy Clinic’s privacy policy. I hereby acknowledge that a copy of the privacy policy was made available to me and I have been advised who I may contact if I have any questions about anything contained in the privacy policy.

You can provide patients with a copy of your policy or a means of accessing it to help ensure they are aware of what information is being collected, how it is being used and stored and to whom it is being disclosed.

Form of consent if governed by HIA

HIA requirements are more onerous if information is being disclosed outside the 'circle of care' (defined as health-care professionals who provide treatment to a patient receiving physiotherapy from you). Information can be provided to circle of care providers without specifically obtaining patient consent. Outside that circle; however (e.g., to a lawyer or third-party insurer), HIA requires specific written or electronic consent. Have your patient sign a consent form at the time disclosure is made—see Appendix IV on page 22 for a sample consent form.

Contact, health, financial information is considered sensitive by most individuals. Appropriate safeguards must be in place to prevent unintended or unauthorized access to or loss of this information. Safeguards include:

  • Keeping records in places that only authorized individuals can access.
  • Locking cabinets and offices containing personal information and not leaving them unattended during business hours.
  • For computer files - using passwords, encryption, antivirus, and firewalls and keeping software current (i.e., updates and patches).
  • Preventing unauthorized viewing of computer screens and using a password-protected screen saver.
  • Not discussing confidential information over the phone when it could be overheard.
  • Shredding paper records and wiping computer hard drives clean.
  • Confidentiality oaths for staff.
  • Confidentiality clauses in employment contracts.

Ensure service providers also follow your privacy policies

You are obligated to ensure the personal information in your custody is handled in accordance with the applicable privacy legislation. You may be asked to disclose personal information to a third-party (e.g., software providers, information technology specialists, accountants, etc.).

When hiring/retaining third-party service providers, ensure they know the personal information in your custody is governed by privacy legislation and that they too must protect the information’s confidentiality. You can do this via a written and signed privacy agreement (see Appendix V on page 23 for a sample agreement) or by inserting provisions of the agreement into third-party contracts.

Amendments to PIPA

In 2010, PIPA was amended to require notification of the Alberta Office of the Information and Privacy Commissioner in the event of a breach of personal information involving a “real risk of significant harm”.

PIPA was also amended to require notification of individuals when their personal information is stored or accessed outside of Canada. If PIPA applies in your practice, ensure that you have policies and procedures in place to deal with these obligations.

Ensure staff is aware of your privacy policy and relevant legislation and that they have the knowledge and skills necessary to handle privacy concerns. It is advisable for all staff to review this guide.

Invite patients to comment on the currency, completeness and accuracy of their personal information, including information regarding their current medical status.

Time limits for responding to access requests are set in legislation under PIPA, HIA and FOIP. Fee schedules are set in legislation under HIA and FOIP. Therefore, ensure patients understand the processes for accessing personal information.

When responding to access to information requests ensure that personal information about another person (provided in confidence by someone other than the person requesting access) is not inadvertently disclosed.

If patients request a change to their information, determine if the information on file is factually correct. While incorrect facts/details should be amended, changing a professional opinion because a patient disagrees is not required. Document the change request in the patient’s file. If the request is unwarranted, consider seeking advice (from Physiotherapy Alberta, the Office of the Information and Privacy Commissioner, etc.) to ensure the appropriate processes are followed. If patients express concern or dissatisfaction regarding a failed change request, explain that they can make a written complaint to your privacy officer or to the Office of the Information and Privacy Commissioner of Alberta (see contact information under Step 1).

To ensure an open process for handling privacy related concerns:

  • Identify the privacy officer as the complaints investigator.
  • Ensure a confidential complaints process.
  • Consider concerns objectively.
  • Respond to concerns in manner they were expressed (e.g., if submitted in writing, respond in writing).
  • If privacy principles are not breached and legislative requirements not sacrificed, seek a collaborative solution wherever possible.
  • Document steps taken to address concerns.
  • Adjust privacy policies and practices to minimize future concerns.

Privacy legislation continues to evolve. Review your policies and practices regularly to ensure compliance with any changes and determine if your systems and processes meet your policy objectives.

While steps 1 to 12 focus on patient information, PIPA also applies to employees’ personal information. Therefore, physiotherapists employing staff (e.g., assistants, administrative personnel or other physiotherapists) must also ensure the collection, use and disclosure of personal employee information complies with legislation.

PIPA defines personal employee information as:

… in respect of an individual who is a potential, current or former employee of an organization, personal information reasonably required by the organization for the purposes of

  1. establishing, managing or terminating an employment or volunteer-work relationship, or
  2. managing a post-employment or post-volunteer-work relationship between the organization and the individual, but does not include personal information about the individual that is unrelated to that relationship.

Collection, use and disclosure of personal employee information

The general rule is that the information can be collected, used or disclosed by an organization without the consent of an individual if the individual is or was an employee or volunteer of the organization and:

  • The collection, use or disclosure is reasonable for the purpose for which it was collected, used or disclosed.
  • For current employees or current volunteers, the personal employee information includes only personal information related to establishing, managing or terminating that individual’s employment or volunteer relationship.
  • For former employees or former volunteers, the personal employee information includes only information related to managing the post-employment or post-volunteer relationship.
  • For current employees or current volunteers, before collecting, using or disclosing the information, employees and volunteers are notified of the collection, use and disclosure and its purpose.

Access to employees’ personal information

The rules regarding access to information also apply to personal employee information. Therefore, advise employees that they can access their information in the practice’s custody/control.

There are four different legislative Acts that establish rules regarding the collection, use, disclosure of and access to information. Because there are differences between the Acts, it is important to determine which governs your physiotherapy practice/environment. It is possible that more than one act can apply.

Personal Information Protection Act (PIPA)

PIPA will apply in almost all cases to the personal and employee information collected, used and disclosed by physiotherapists in the private sector.

When does PIPA apply?

PIPA applies to personal/employee information collected, used and disclosed by physiotherapists:

  • Whose services are paid for directly by the patient.
  • Whose services are paid by a third-party insurer.
  • Whose services are paid for by the Alberta Workers’ Compensation Board.1
  • Who operate their own physiotherapy practice or work in partnership with someone else, and who hire employees, contractors or volunteers.

The Health Information Act (HIA)

This provincial legislation governs the collection, use, disclosure, and access to health information within Alberta’s publicly funded health system.

When does HIA apply?

HIA applies to health information including general patient information (name, personal health number, gender, date of birth, and marital status) and governs health information collected by a physiotherapist if/when the physiotherapist is:

  • employed by or contracting services to a physiotherapy practice operated by AHS, a hospital or nursing home,
  • providing physiotherapy services pursuant to a contract with AHS, or
  • paid directly by Alberta Health and Wellness in whole or in part.

Consent under HIA

HIA rules regarding the collection, use and disclosure of information differ from PIPA, PIPEDA and FOIP. If employed by AHS, a hospital or nursing home, you are considered an ‘affiliate’ under HIA. A physiotherapist working independently/in private practice and billing Alberta Health Care would be considered a ‘custodian.’

Under HIA, consent is not required before a custodian or affiliate can disclose information to another
healthcare provider. Under other circumstances, consent is generally required to disclose information to a third-party.

Personal Information Protection and Electronic Documents Act (PIPEDA)

Establishes the rules for the collection, use, disclosure of, and access to personal information during the course of ‘commercial activities.’ Personal information is broadly defined as ‘information about an identifiable individual’ but does not include the name, title or business address of an employee of an organization.

When does PIPEDA apply?

PIPEDA can apply to Alberta physiotherapists in limited circumstances where personal information is being transferred across provincial boundaries (e.g., to a third-party insurer in another province).

Note: PIPEDA contains a few exceptions when personal information can be disclosed without the individual’s consent. One exceptions is to collect a debt the individual owes you/your practice; however, in this case only the minimal amount of information necessary to collect the debt is to be released.

Freedom of Information and Protection of Privacy Act (FOIP)

FOIP establishes the rules for collecting, using, disclosing, and accessing information/records in the possession of a ‘public body’ defined as:

  • Alberta government department, branch or office.
  • Agency, board, commission, corporation, office or other body designated as a public body in the regulations (e.g., WCB).
  • Local public body (e.g., educational body, healthcare body or local government such as a municipality or a municipal board).
  • FOIP applies to all records in the public body’s custody/control and is broadly defined to include ‘information in any form,’ and can include information stored in any manner.

When does FOIP apply?

FOIP may apply to information collected, used and disclosed when a physiotherapist is employed by, or contracting services to, a school or school board.

Footnote

  1. Physiotherapists/clinics with WCB contracts also governed by the Workers’ Compensation Act, which gives the WCB a right of access to information in a patient’s file. FOIP may also apply to records related to WCB claims, depending on the circumstances.