College Blog 

In the spirit of transparency, we encourage open debate and constructive criticism via comments. For this to be effective, comments need to remain professional and respectful. Comments will be reviewed and posts that include personal attacks, unfounded allegations, unverified facts, product pitches, or profanity will not be published. 

Privacy Laws: The Times They Are A-Changin’

Dec 11, 2018

By: Fiona Campbell, Senior Physiotherapist Advisor

In my role as Practice Advisor—attending the Canadian Physiotherapy Association Congress in Montreal this year and through the community outreach events where I’ve been speaking with physiotherapists—I’ve learned about a number of creative and revolutionary ways PTs are delivering physiotherapy care to patients.

Many PTs are using mobile devices in practice and are expediting patient communications using text and email. I’ve listened to how they are making use of new apps to maximize patient benefits from physiotherapy. The pace of change is exhilarating.

But I must remind you to be cautious and careful of the risks of breaching privacy when it comes to patient information on mobile devices.

If privacy is breached, legal action can be launched by the patient against the physiotherapist.

Are you aware of these risks and ready to mitigate them? Are you aware of changes to the privacy rules for health information?

Privacy, Security and Consent

Risk is high if not well managed and includes: privacy breaches, insecure data storage and the physiotherapist’s or organization’s liability for failure to get proper patient consent.

So, it’s understandable that the top questions physiotherapists are asking College Advisors are associated with technology and its use in practice.

Most questions concern the use of smart phones in practice situations.

We are getting questions about things such as what can be included in a text or email to patients, what information needs to be stored in a chart, and what data or photos can be stored on a PT's phone (for example a patient doing a home exercise program).

Consumer mobile apps used to photograph patients do not meet requirements reasonably expected to ensure patient privacy.

Dropbox, Facebook, Instagram and iCloud are some of the many apps programmed to automatically access documents and images stored on mobile devices. It is foreseeable that stored patient images or data could be accessed or backed up on non-secure systems. Any breach must be reported to the Privacy Commissioner and can result in you being fined.

Physiotherapists need to have enough safeguards and protocols in place to protect patient health information. When collecting and storing photos or data on a mobile device, healthcare providers should get consent from the patient and explain what is being done to prevent photos or data from becoming public.

Have a look at the Top Workplace Tips for Protecting Privacy on the Information and Privacy Commissioner’s website.

What are the Rules?

In Ontario, the rules governing health information collection and storage are found in the Personal Health Information Protection Act 2004 (PHIPA), and for across Canada the Personal Information Protection and Electronic Documents Act (PIPEDA). (It’s important to note that this does not include not-for-profit or charity organizations). The two acts, and when they should be applied, may seem confusing at first, but the requirements from both acts are similar.

Seven Things to Do If There’s a Privacy Breach of Patient Information

  1. The Health Information Custodian (HIC) must determine that the loss or unauthorized use or disclosure of personal health information is significant after considering all relevant circumstances, including whether the personal health information is sensitive, whether the loss or unauthorized use or disclosure involved a large volume of personal health information or involved many individuals’ personal health information and whether more than one health information custodian or agent was responsible for the loss or unauthorized use or disclosure.
  2. Report to the Information and Privacy Commissioner any breaches involving personal and health information that pose a real risk of significant harm to individuals.
  3. Notify anyone affected by the breach.
  4. Notify any other organization that may be able to mitigate harm to affected individuals.
  5. Be prepared to report annual privacy breaches to the Commissioner under PHIPA. Custodians will be required to start tracking privacy breach statistics as of January 1, 2018 and will be required to provide the Commissioner with an annual report of the previous calendar year’s statistics, starting March 2019.
  6. The Health Information Custodian must notify the College in the following circumstances:
    • If disciplinary action is taken against a member for a privacy breach


    • If an event occurs that relates to a loss or unauthorized use or disclosure of personal health information. For example, identity theft occurs after a patient's personal health information is lost by a clinic.
  7. Incidents that are accidental do not have to be reported. For example, an email that is sent to the wrong recipient about an appointment change is not considered a breach and would not be included in an annual report.

What Happens If You Ignore a Breach?

If you do not report a breach of patient data, costly fines up to $100,000 can be imposed, while an organization or institution can be liable for a fine of up to $500,000.

Deliberate failure to report a data breach, or deliberate failure to notify an individual as required will be separate offences subject to fines of up to $100,000 per breach under PIPEDA.

Take a Minute to Walk Through the Following Scenarios

Scenario 1: A physiotherapist accidentally emails a patient report to a group email distribution list. The information in the report includes sensitive details about the patient’s mental health. 

Take the following steps: 
  • The Health Information Custodian should notify the Information and Privacy Commissioner of the breach
  • The Health Information Custodian should notify the College as the breach is significant and contains sensitive information
  • Notify the patients directly involved in the breach
  • Document the incident

Scenario 2: Patient health information stored on a physiotherapist’s laptop becomes subject to a ransomware or other malware attack. The information is not encrypted.

Does the 'attack' need to be reported?

Yes, as the information is stolen it needs to be reported to the Commissioner. If the data was properly encrypted, it would not need to be reported.

Scenario 3: A physiotherapist photocopies a patient chart at a local library and accidentally leaves the chart on the printer. She returns the next day, but the chart is gone and cannot be located by staff.

Take the following steps: 

  • The Health Information Custodian should notify the Information and Privacy Commissioner of the breach
  • The Health Information Custodian should notify the College as the breach is significant, you do not know how the information might be used
  • Notify the patient directly involved in the breach
  • Document the incident

Have Questions?

Contact Practice Advice for answers and appropriate resources. You can reach us at 647-484-8800 or between 8:30 am to 5:00 pm Monday to Friday.

Privacy Resources

Leave a comment
  1. Practice Advisor | Dec 18, 2018

    Hi Carla,

    Yes, there is a risk of a privacy breach, so please consult your facility’s policy for protecting patient information and for mitigating risks of breaches.

    You need to find out:

    1. Does the Health Information Custodian (HIC) permit the use of personal devices at work? Often they do not as the security risk is too high.

    2. What are the limits around information that can be relayed using mobile devices? Sometimes setting an appointment is OK but I see in your examples patients can be identified along with their treatment, so yes, it may pose a risk to the privacy of a patient.

  2. Carla | Dec 14, 2018

    I'm a little unsure about PTs using their personal phones to communicate with each other during the day.  For example, a PT sends a text message on her personal phone to her rehab assistant that says "Please walk Ms. S in room 433 with a 2ww about 60 meters today."  Or a PT texts something like "Ms. J.S. is transferring to your unit today, room 3380. I'm TOAing to you, notes are in the chart. I think she'll need a rehab app."

    Would these examples constitute a privacy breach?

  3. Practice Advisor | Dec 13, 2018

    Thanks for your question. You have taken important steps to secure the information you send. I suggest you have a clear policy on what can be sent by email, taking into consideration the sensitivity and the volume of health information. You should have unambiguous consent from the patient to receive any information by email.  

    If the email contains health information it will need to be encrypted. Have a read through the IPC Fact Sheet about sending personal health information via email for helpful information. Or, feel free to give me a call at 647-484-8800.

  4. Kinjal | Dec 13, 2018
    It is important to take an informed consent prior to sending an email rather than informing the client that we will be sending an email
  5. Gerda Hayden | Dec 12, 2018

    i email patients a summary of their Home ex prog.

    The email server is password protected and I tell patients that they will be receiving an email crom me. Are there any otjer safeguards I need to consider?

    Regards, Gerda

    Leave a comment

    Comment Form

    Have a Question? or 647-484-8800 or 1-800-583-5885 ext. 241