By: Fiona Campbell, Senior Physiotherapist Advisor
In my role as Practice Advisor—attending the Canadian Physiotherapy Association Congress in Montreal this year and through the community outreach events where I’ve been speaking with physiotherapists—I’ve learned about a number of creative and revolutionary ways PTs are delivering physiotherapy care to patients.
Many PTs are using mobile devices in practice and are expediting patient communications using text and email. I’ve listened to how they are making use of new apps to maximize patient benefits from physiotherapy. The pace of change is exhilarating.
But I must remind you to be cautious and careful of the risks of breaching privacy when it comes to patient information on mobile devices.
If privacy is breached, legal action can be launched by the patient against the physiotherapist.
Are you aware of these risks and ready to mitigate them? Are you aware of changes to the privacy rules for health information?
Privacy, Security and Consent
Risk is high if not well managed and includes: privacy breaches, insecure data storage and the physiotherapist’s or organization’s liability for failure to get proper patient consent.
So, it’s understandable that the top questions physiotherapists are asking College Advisors are associated with technology and its use in practice.
Most questions concern the use of smart phones in practice situations.
We are getting questions about things such as what can be included in a text or email to patients, what information needs to be stored in a chart, and what data or photos can be stored on a PT's phone (for example a patient doing a home exercise program).
Consumer mobile apps used to photograph patients do not meet requirements reasonably expected to ensure patient privacy.
Dropbox, Facebook, Instagram and iCloud are some of the many apps programmed to automatically access documents and images stored on mobile devices. It is foreseeable that stored patient images or data could be accessed or backed up on non-secure systems. Any breach must be reported to the Privacy Commissioner and can result in you being fined.
Physiotherapists need to have enough safeguards and protocols in place to protect patient health information. When collecting and storing photos or data on a mobile device, healthcare providers should get consent from the patient and explain what is being done to prevent photos or data from becoming public.
Have a look at the Top Workplace Tips for Protecting Privacy on the Information and Privacy Commissioner’s website.
What are the Rules?
In Ontario, the rules governing health information collection and storage are found in the Personal Health Information Protection Act 2004 (PHIPA), and for across Canada the Personal Information Protection and Electronic Documents Act (PIPEDA). (It’s important to note that this does not include not-for-profit or charity organizations). The two acts, and when they should be applied, may seem confusing at first, but the requirements from both acts are similar.
Seven Things to Do If There’s a Privacy Breach of Patient Information
- The Health Information Custodian (HIC) must determine that the loss or unauthorized use or disclosure of personal health information is significant after considering all relevant circumstances, including whether the personal health information is sensitive, whether the loss or unauthorized use or disclosure involved a large volume of personal health information or involved many individuals’ personal health information and whether more than one health information custodian or agent was responsible for the loss or unauthorized use or disclosure.
- Report to the Information and Privacy Commissioner any breaches involving personal and health information that pose a real risk of significant harm to individuals.
- Notify anyone affected by the breach.
- Notify any other organization that may be able to mitigate harm to affected individuals.
- Be prepared to report annual privacy breaches to the Commissioner under PHIPA. Custodians will be required to start tracking privacy breach statistics as of January 1, 2018 and will be required to provide the Commissioner with an annual report of the previous calendar year’s statistics, starting March 2019.
- The Health Information Custodian must notify the College in the following circumstances:
- If disciplinary action is taken against a member for a privacy breach
or
- If an event occurs that relates to a loss or unauthorized use or disclosure of personal health information. For example, identity theft occurs after a patient's personal health information is lost by a clinic.
- Incidents that are accidental do not have to be reported. For example, an email that is sent to the wrong recipient about an appointment change is not considered a breach and would not be included in an annual report.
What Happens If You Ignore a Breach?
If you do not report a breach of patient data, costly fines up to $100,000 can be imposed, while an organization or institution can be liable for a fine of up to $500,000.
Deliberate failure to report a data breach, or deliberate failure to notify an individual as required will be separate offences subject to fines of up to $100,000 per breach under PIPEDA.
Take a Minute to Walk Through the Following Scenarios
Scenario 1: A physiotherapist accidentally emails a patient report to a group email distribution list. The information in the report includes sensitive details about the patient’s mental health.
Take the following steps:
- The Health Information Custodian should notify the Information and Privacy Commissioner of the breach
- The Health Information Custodian should notify the College as the breach is significant and contains sensitive information
- Notify the patients directly involved in the breach
- Document the incident
Scenario 2: Patient health information stored on a physiotherapist’s laptop becomes subject to a ransomware or other malware attack. The information is not encrypted.
Does the 'attack' need to be reported?
Yes, as the information is stolen it needs to be reported to the Commissioner. If the data was properly encrypted, it would not need to be reported.
Scenario 3: A physiotherapist photocopies a patient chart at a local library and accidentally leaves the chart on the printer. She returns the next day, but the chart is gone and cannot be located by staff.
Take the following steps:
- The Health Information Custodian should notify the Information and Privacy Commissioner of the breach
- The Health Information Custodian should notify the College as the breach is significant, you do not know how the information might be used
- Notify the patient directly involved in the breach
- Document the incident
Have Questions?
Contact Practice Advice for answers and appropriate resources. You can reach us at 647-484-8800 or advice@collegept.org between 8:30 am to 5:00 pm Monday to Friday.
Privacy Resources