College Blog 

In the spirit of transparency, we encourage open debate and constructive criticism via comments. For this to be effective, comments need to remain professional and respectful. Comments will be reviewed and posts that include personal attacks, unfounded allegations, unverified facts, product pitches, or profanity will not be published. 

Contact the College
Watch our Videos

  • Privacy Laws: The Times They Are A-Changin’

    Dec 11, 2018

    By: Fiona Campbell, Senior Physiotherapist Advisor

    In my role as Practice Advisor - attending the Canadian Physiotherapy Association Congress in Montreal this year and through the community outreach events where I’ve been speaking with physiotherapists - I’ve learned about a number of creative and revolutionary ways PTs are delivering physiotherapy care to patients.

    Many PTs are using mobile devices in practice and are expediting patient communications using text and email. I’ve listened to how they are making use of new apps to maximize patient benefits from physiotherapy. The pace of change is exhilarating.

    But I must remind you to be cautious and careful of the risks of breaching privacy when it comes to patient information on mobile devices.

    If privacy is breached, legal action can be launched by the patient against the physiotherapist.

    Are you aware of these risks and ready to mitigate them? Are you aware of changes to the privacy rules for health information?

    Privacy, Security and Consent

    Risk is high if not well managed and includes: privacy breaches, insecure data storage and the physiotherapist’s or organization’s liability for failure to get proper patient consent.

    So, it’s understandable that the top questions physiotherapists are asking College Advisors are associated with technology and its use in practice.

    Most questions concern the use of smart phones in practice situations.

    We are getting questions about things such as what can be included in a text or email to patients, what information needs to be stored in a chart, and what data or photos can be stored on a PT's phone (for example a patient doing a home exercise program).

    Consumer mobile apps used to photograph patients do not meet requirements reasonably expected to ensure patient privacy.

    Dropbox, Facebook, Instagram and iCloud are some of the many apps programmed to automatically access documents and images stored on mobile devices. It is foreseeable that stored patient images or data could be accessed or backed up on non-secure systems. Any breach must be reported to the Privacy Commissioner and can result in you being fined.

    Physiotherapists need to have enough safeguards and protocols in place to protect patient health information. When collecting and storing photos or data on a mobile device, healthcare providers should get consent from the patient and explain what is being done to prevent photos or data from becoming public.

    Have a look at the Top Workplace Tips for Protecting Privacy on the Information and Privacy Commissioner’s website.

    What are the Rules?

    In Ontario, the rules governing health information collection and storage are found in the Personal Health Information Protection Act 2004 (PHIPA), and for across Canada the Personal Information Protection and Electronic Documents Act (PIPEDA). (It’s important to note that this does not include not-for-profit or charity organizations). The two acts, and when they should be applied, may seem confusing at first, but the requirements from both acts are similar.

    Seven Things to Do If There’s a Privacy Breach of Patient Information

    1. The Health Information Custodian (HIC) must determine that the loss or unauthorized use or disclosure of personal health information is significant after considering all relevant circumstances, including whether the personal health information is sensitive, whether the loss or unauthorized use or disclosure involved a large volume of personal health information or involved many individuals’ personal health information and whether more than one health information custodian or agent was responsible for the loss or unauthorized use or disclosure.
    2. Report to the Information and Privacy Commissioner any breaches involving personal and health information that pose a real risk of significant harm to individuals.
    3. Notify anyone affected by the breach.
    4. Notify any other organization that may be able to mitigate harm to affected individuals.
    5. Be prepared to report annual privacy breaches to the Commissioner under PHIPA. Custodians will be required to start tracking privacy breach statistics as of January 1, 2018 and will be required to provide the Commissioner with an annual report of the previous calendar year’s statistics, starting March 2019.
    6. The Health Information Custodian must notify the College in the following circumstances:
      • If disciplinary action is taken against a member for a privacy breach

        or

      • If an event occurs that relates to a loss or unauthorized use or disclosure of personal health information. For example, identity theft occurs after a patient's personal health information is lost by a clinic.
    7. Incidents that are accidental do not have to be reported. For example, an email that is sent to the wrong recipient about an appointment change is not considered a breach and would not be included in an annual report.

    What Happens If You Ignore a Breach?

    If you do not report a breach of patient data, costly fines up to $100,000 can be imposed, while an organization or institution can be liable for a fine of up to $500,000.

    Deliberate failure to report a data breach, or deliberate failure to notify an individual as required will be separate offences subject to fines of up to $100,000 per breach under PIPEDA.

    Take a Minute to Walk Through the Following Scenarios

    Scenario 1: A physiotherapist accidentally emails a patient report to a group email distribution list. The information in the report includes sensitive details about the patient’s mental health. 

    What needs to be done?

    • The Health Information Custodian should notify the Information and Privacy Commissioner of the breach
    • The Health Information Custodian should notify the College as the breach is significant and contains sensitive information
    • Notify the patients directly involved in the breach
    • Document the incident

    Scenario 2: Patient health information stored on a physiotherapist’s laptop becomes subject to a ransomware or other malware attack. The information is not encrypted.

    Does the 'attack' need to be reported?

    Yes, as the information is stolen it needs to be reported to the Commissioner. If the data was properly encrypted, it would not need to be reported.

    Scenario 3: A physiotherapist photocopies a patient chart at a local library and accidentally leaves the chart on the printer. She returns the next day, but the chart is gone and can not be located by staff.

    What needs to be done?

    • The Health Information Custodian should notify the Information and Privacy Commissioner of the breach
    • The Health Information Custodian should notify the College as the breach is significant, you do not know how the information might be used
    • Notify the patient directly involved in the breach
    • Document the incident

    Have Questions?

    Contact Practice Advice for answers and appropriate resources. You can reach us at 647-244-9118 or advice@collegept.org between 8:30 am to 5 pm Monday to Friday.

    Privacy Resources

    Personal Health Information Protections Act 2004 (PHIPA)

    Personal Information Protection and Electronic Documents Act (PIPEDA)

    IPC PHIPA Connections Summit 2017

    IPC Health Privacy Breach Notification Guidelines

    10 Workplace Tips for Protecting Personal Information on Mobile Devices

    Full story
    • Health Information Custodian
    • HIC
    • PIPEDA
    • PHIPA
    • technology
    • patient information
    • security
    • privacy law
    • privacy breach
    • privacy
  • Legalizing Cannabis: What Does it Mean for Physiotherapists?

    Nov 13, 2018
    Full story
    • treatment
    • Consent
    • physiotherapy
    • legalization
    • cannabis
    • blog
  • Supervising Physiotherapy Residents: An Important and Rewarding Role

    Oct 19, 2018
    Peter Ruttan, registered physiotherapist and Investigator at the College of Physiotherapists of Ontario, blogs about the responsibilities of a Practice Supervisor when working with Physiotherapy Residents.
    Full story
    • physiotherapist
    • investigator
    • Peter Ruttan
    • Ontario
    • College of Physiotherapists
    • physiotherapy residents
    • supervision
    • practice supervisor
  • What I Learned from the College: Top Tips for New Physiotherapists

    Sep 17, 2018
    Guest blogger and PT student Ian Winningham shares what he learned during his clinical placement at the College of Physiotherapists of Ontario.
    Full story
    • record keeping
    • accounts
    • billing
    • fees
    • physiotherapist
    • student
    • blog
  • What’s Your Piece of #MeToo?

    Aug 23, 2018
    A blog from the College of Physiotherapists of Ontario's Registrar, Shenda Tanchak, discussing the importance of boundaries between physiotherapists and patients, in the wake of the Me Too movement.
    Full story
    • me too
    • patient
    • physiotherapist
    • Boundaries
  • Creating a Discussion: More than Just a Checked Box

    Jul 24, 2018
    Elizabeth Leung, a physiotherapy student who is doing a placement at the College of Physiotherapists of Ontario, blogs about the importance of consent in physiotherapy practice.
    Full story
    • student
    • physiotherapy
    • Consent
  • Delisted—Make Sure it Doesn’t Happen to You

    May 24, 2018
    A blog by Fiona Campbell, Senior Physiotherapy Advisor at the College of Physiotherapists of Ontario, explaining how and when a physiotherapist may be delisted by an insurance company.
    Full story
    • Delisted
    • Delisting
    • Abuse
    • physiotherapist
    • Billing Number
    • billing
    • Insurance Fraud
  • A Bedtime Story

    Apr 27, 2018
    Full story
    • billing
    • assistant
    • physiotherapist assistant
    • PTA
    • Fraud
    • insurance
    • massage therapist
  • Who Runs the College Anyway?

    Mar 02, 2018
    Full story
  • Did You Make a New Year’s Resolution to Lose Weight this Year?

    Jan 22, 2018
    Full story

Contact the Practice Advisor

Free and anonymous counsel for PTs, patients, & the public. Learn More 

practiceadvice@collegept.org
416-591-3828 ext. 241
1-800-583-5885 ext. 241