[CAD] Compliance with Federal Privacy Laws (PIPEDA)

For private practitioners across Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is the act that, on the federal level, will be of the most importance to how they operate. As the federal privacy law for private-sector organizations, PIPEDA sets out the ground rules for how businesses must handle personal information in the course of commercial activity.

Organizations covered by the Personal Information Protection and Electronic Documents Act (PIPEDA) need to obtain an individual's consent when they collect, use or disclose that individual's personal information. Individuals have a number of rights around the information an organization collects, and organizations are limited in how they can use this information:
  • Individuals have the right to access their personal information held by an organization, and they also have the right to challenge its accuracy.
  • Collected personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they need to obtain consent again.
  • Individuals should also be assured that their information will be protected by appropriate safeguards.
For a comprehensive but straightforward list of PIPEDA guidelines for commercial businesses, a great resource is the Government’s Privacy Toolkit: A Guide for Businesses and Organizations, which may be of use to you. However, it’s likely that your college, or other institutions that you are a part of, will provide similar resources more relevant to your profession.

As for what constitutes personal information, under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an individual. This can be information in any form, such as:
  • age, name, ID numbers, income, ethnic origin, or blood type;
  • opinions, evaluations, comments, social status, or disciplinary actions; and
  • employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
As a result, PIPEDA is of significant importance to anyone working in private practice, where the collection of such information comes hand in hand with treatment.

PIPEDA only applies to commercial activities, which means that it does not generally apply to any activities that take place in the public sector, such as those in universities, municipalities, governments, hospitals, and so on. If these kinds of institutions engage in certain kinds of commercial activities not related to their core functions, PIPEDA regulations may still apply to them.

Owl and PIPEDA

The government, and other institutions, makes a number of recommendations and suggestions that practices should or must follow to help them achieve PIPEDA compliance. Luckily, Owl makes a number of these recommendations easier - improving the ability of these clinics to be compliant. Here are some suggestions from the Privacy Commissioner’s Ten tips for avoiding complaints to the OPC that are particularly relevant to Owl:

1. Take responsibility for employee actions

In the Group Edition of Owl, User Types allow you to customize what access each user of Owl has to PHI stored inside of Owl, through a number of Settings. The Privacy Commissioner says: “To meet your PIPEDA responsibilities you need safeguards to reinforce these policies, which may include: [...] limits on employees’ access to personal information where they don’t need access, and/or safeguards against mass copying of information to portable devices (if warranted).

User Types allow all Users who aren’t set up to be Practice Owners to be limited in ways that improve compliance here. For example, Therapists can be limited from seeing Client files that aren’t their own, and Office Admins are/can be limited from viewing Session and Non-Session Notes, or doing certain types of practice data exports.

2. Protect personal information

Security is a huge priority at Owl and we do our best to ensure practice data is as secure as possible, thereby helping them achieve compliance. At Owl, we use bank-level encryption (SSL) to encrypt all data that moves between our secure and dedicated servers and the device and browser on which a clinician accesses their Owl Practice account. Data that is encrypted between our secure and dedicated servers and the device and browser on which a clinician accessing their Owl account is done using SHA256 with RSA. We continuously test our systems to ensure all of our encryption layers have the most up-to-date patches for any vulnerabilities that surface over time (example: Heartbleed/CVE-2014-0160).

3. Respond to access requests

Extensive export options make exporting Client information out of Owl simple and easy. Notes can be exported from the Client profile, all financial and Client data can be exported and individual historical receipts and invoices can also be downloaded. Exports of secure messages are not currently possible, but Clients already have access to this information through their Client Portal.

4. Be up front about your collection and use of personal information

Owl has suggested language and guidance on this subject over in our FAQ section here and a blog post on this subject.