The risks of email make it important to comply with privacy protection laws.
Q: Can I use Office 365, which is cloud-based? How do I know where Office 365 is storing my email messages and documents?
Office 365 stores your messages and data on your personal computer and syncs this with storage on a server. Recently, Office 365 has made it possible for Canadians to use servers in Canada, rather than global servers. Skype for Business was rebranded as Microsoft Teams.
Q: Can I use Gmail to interact with clients? Can I use cloud-based apps and cloud-based storage such as Dropbox or Google Drive?
If you are employed by a public body in BC, you shouldn’t use Gmail because it is a cloud-based application which runs from global servers. This is also the case for cloud-based apps and cloud-storage.
If you work in the private sector and you don’t have any contracts that require you to follow FOIPPA, you can use Gmail, Dropbox, Google Drive and countless other cloud-based apps. Cloud storage is helpful if you want to access your data from more than one device. It also makes it easy to share data with people in other locations.
Q: I work for a government agency that blocks me from getting any referral documents that are cloud-based. Referrals must be faxed in. Why is this?
Fax machines provide direct communication. If a document is faxed from one place to another, it can be accompanied by an immediate receipt stating that it was received. This is the main reason why health care providers maintain the use of fax machines to transmit sensitive information.
Some health authorities are allowing referral packages to be sent by email. The sender starts by checking that the message will go to the correct person by sending an initial email with a basic greeting. The recipient responds, confirming the identity of the receiver. Once this loop is established, permission to send a whole referral package by email is granted.
Q: Can a private practice accept referrals by email?
Yes, private sector organizations are permitted to send and receive information using email and other cloud-based services. Use services that are encrypted, and password protected.
What are the Canadian legal requirements for privacy protection?
Q: Why have I seen advertisements that tell Canadian therapists to use keep their data in Canada?
There is no federal law requiring therapists to keep their data in Canada. There are a few provinces that require public agencies to keep their data in Canada. (i.e. Alberta, Quebec, British Columbia and Nova Scotia). This doesn't apply to the data you collect in your private practice. Your business is not a public agency.
Personal Health Information Protection Act (PHIPA): In Ontario, all healthcare providers must comply with their provincial Personal Health Information Protection Act. It makes no difference if they are with a public body or a private company. Ontario has many clinicians in private practice, so the advertisements you find online are largely aimed at the Ontario market.
Ontario’s PHIPA states that a company in Canada that outsources information processing to the United States, where it will be subject to US laws, should notify its customers that the information may be made available to the US government or its agencies. The information should only be used for the original purpose of collection. It should be stored with the same level of password protection and encryption as would be the case in Canada.
While information can cross borders, the Canadian business remains liable for any problems if there is a security breach. This risk places a hardship on Ontario’s healthcare providers, making them understandably cautious.
Q: What is a HIPAA Business Associate Agreement?
HIPAA addresses the problems of a fractured healthcare system in the US, where personal health information (PHI) is constantly being passed between healthcare providers, health insurers and health exchange organizations.
HIPAA Business Associate Agreement (BAA): The purpose of the BAA in HIPAA is to ensure that there is an unbroken chain of responsibility for any personal health information (PHI) that may be “touched” by a vendor and/or service provider. In other words, the law forces the big players to meet a common standard. The agreement is a method of sharing the risk and is, essentially, a promise to be accountable should a breach take place.
Not all providers for video conferencing software are willing to share the risk. For example, Apple and Skype have deliberately chosen not to take on these risks.
Q: Do I need the expensive version of Zoom which gives me a Business Associate Agreement? This is advertised as being in compliance with HIPAA (US), PIPEDA (Canada) and PHIPA (Ontario).
It depends.
As I stated earlier, Zoom has three features which use cloud storage.
- Storing recordings in the cloud
- Creating user accounts for clients, which requires their name and email
- Texting with clients in the Zoom chat window
As a clinician in Canada, it is your responsibility to understand your obligations and goals. Are you required to keep your data in Canada? Are you running a sole practice? Are you responsible for a large workforce?
If you are required to keep your data in Canada, the free version of Zoom might still be the best option for you. Simply avoid using the chat feature in ZOOM and download your recordings to your computer instead of storing them in the cloud. Use a password and the waiting room feature. This prevents people from entering your session without permission. Your clients won’t need to create accounts. None of their data will be stored in the cloud. Once you have this set up, it works every time.
If you are with an agency or clinic, there is more risk. Your workforce might not be diligent about doing the manual steps that I just mentioned. In that case, you might want a paid account with Zoom, with a signed Business Associate Agreement. Cloud recording will be disabled and encrypted chat will be enabled. User accounts can be deleted. Notice that encrypted chat would still store messages in the cloud so you should avoid the chat feature.
Let's compare the video conferencing apps that are commonly used by private practice therapists.
Q: Are there any Canadian video conferencing platforms?
This is not the right question. To the best of my understanding, it doesn’t matter where the platform or server is located if the sessions are protected from unwanted participants, the FBI, a malicious hacker and so on. If you are trying to comply with FOIPPA, the first thing you need is a platform which offers encryption so that your sessions can’t be intercepted. The second thing you need is assurance that no client data will be stored on a server outside of Canada.
Q: Is Microsoft Teams recommended for telepractice?
Skype for Business was purchased by Microsoft and has been rebranded as Microsoft Teams. At the time of this writing, BC’s public SLPs were using Microsoft Teams because it was part of Office 365, which gave users the option to keep data on a server in Canada.
In 2018, before the changes ushered in by the pandemic, I listened to some SLPs describe their experiences in trying to use Skype for Business for online sessions with clients. BC's provincial health authorities were trying to offer telepractice services within the mandate to keep data on servers in Canada.
Here are two examples of how difficult this was:
Clients who were participating in telepractice through a health authority had to travel to a site that had clinic space and the necessary technology for telepractice sessions. The appointment was booked by a clerk who managed the schedules of the SLP, the clinic space, and an assistant who could log into Skype for Business and connect with the SLP. The client couldn’t connect from home.
Clients were offered the option of speech language therapy by telepractice instead of having to travel to a hospital outpatient department. The client was responsible for providing a laptop or tablet and a high-speed internet connection. The health authority’s IT department created a Skype for Business ID and password for the client. The client had to bring their laptop or tablet to an initial onsite session. Staff from the health authority installed the software and trained the client to login. The client could then participate in telepractice sessions from home, provided that a reliable helper with good computer skills was available to help. Phone calls were used to book appointments for telepractice sessions. Support staff were required for this.
The pandemic pushed institutions toward practical solutions that would allow clients and therapists to connect more easily online.
Q: Can I use ZOOM, Skype or FaceTime?
If a platform provides encryption and password protection, it meets the federal requirements in PIPEDA and the provincial requirements in PIPA BC; however, if a platform stores data about clients in the cloud, it won’t meet the provincial requirements in FOIPPA.
There are many platforms that offer online webcam sessions. Here are some that you are probably familiar with:
ZOOM Cloud Meetings: Zoom can run from a browser without downloading anything to a client’s computer. The creates a basic version of Zoom without all the features. The more typical way that people use Zoom is to download components of the program onto their computer and then enter a session. There are regular updates to the software, so users are expected to refresh the download periodically. As the clinician hosting the session, you can’t avoid these downloads.
There are pros and cons. If your employer prohibits you from downloading programs onto your office computer, you won’t be able to use Zoom without permission to install the program. The advantage of this download, however, is that Zoom is stable even when bandwidth is poor.
You can use the free version of ZOOM without storing any data about your clients in the cloud. The free version of ZOOM gives you two-way encryption. You have the option of using a waiting room and admitting clients into the session manually. You can also protect your sessions with a password.
- ZOOM Cloud Meetings https://zoom.us
Skype: All Skype-to-Skype voice, video, file transfers and instant messages are encrypted. This protects you from potential eavesdropping by malicious users. If you make a call from Skype to mobile and landline phones, the part of your call that takes place over the PSTN (the ordinary phone network) is not encrypted. Skype-to-Skype requires users to set up accounts, so your clients would have to store their name, email and possibly a picture in the cloud.
- SKYPE https://skype.com
FaceTime: The FaceTime app works on IOS devices. It is private because your calls are protected using end-to-end encryption, so there is no way someone outside of your call could access your call. Calls are not recorded, and no part of your calls are sent to or stored by Apple. Only you and the person you call can join the call. FaceTime contents are stored in the cloud.
- FaceTime https://apps.apple.com/ca/facetime
Q: Which video conferencing app do your recommend?
I currently recommend the ZOOM Cloud Meetings App for speech language pathologists in private practice in BC because it is free and has all the features you need. The high quality of the audio-visual transmissions in ZOOM makes it ideal for speech language therapy. The screen share feature is versatile and robust.
Zoom works well for the level of interaction needed in speech language therapy. It is the only video conferencing platform which allows both participants to share the audio of their device when they are screen sharing. I had clients who used online software in therapy. If they were having problems, I could watch and listen while they logged into an assignment. I could see why they were having problems. It was like being in the room with them.
Both the free account and the ZOOM Pro account will meet the privacy requirements of FOIPPA if you are careful not to store any data about clients in the cloud. Specifically, if your workplace does not allow data storage on Zoom’s global servers, you can take steps to safeguard against this.
Only three of Zoom’s features use cloud storage. You can manually turn these off. These are:
- Storing recordings in the cloud
- Creating user accounts for clients, which requires their name and email
- Texting with clients in the Zoom chat window
Keep in mind that you automatically get encryption with all versions, so you don’t need a paid account to get encryption.
Q: Do clients need to be aware that I am recording and what I am doing with recordings? Do clinicians need to be aware of when clients are recording and what they are doing with recordings?
It’s yes for both. The platform that you are using for telepractice should have a setting that lets the person know that they are being recorded. In advance, you should get signed consent for making video recordings.
Most telepractice platforms make it easy to create video recordings. I always asked for consent to make recordings while providing treatment. All my telepractice clients agreed to this because it gave us an objective record of progress.
Q: Where should I store my video recordings?
Store your videos on a secure drive or server. If you work in private practice with data that you have collected, as opposed to data from BC’s government, you can use cloud storage.
If you work for a public agency, your employer might have a specific server for your videos. If not, be very careful about cloud storage because this might not be permitted. Remember that compliance with FOIPPA means keeping your data within Canada.
In any work situation, you can download them to your local computer and then use password protection for your computer and even for the specific folder.
Business platforms for therapists integrate functions that a therapist needs.
Q: Which platform offers that best integration of the functions that a private practice therapist needs?
The biggest shortcoming of most platforms made for private practice therapists is that the traditional philosophy of selling time is baked into the features. It is rare to find a platform that gives therapists a custom website and ways to generate income from digital products, group programs, online courses and asynchronous coaching behind a login.
In my opinion, having multiple income streams that don't rely on subcontractors is the best way to build a profitable therapy business. In my own business, I designed several Wordpress website to give me this result. It took me more than 10 years. The technical glitches were endless. I don't recommend this route.
Instead, I highly recommend the AttractWell platform for private practice therapists who want their website, marketing and online curriculum to be completely integrated. Zoom, online forms, online appt booking and everything else you need is included.
- Attract Well (attractwell.com): This is the only platform that I recommend for private practice therapists who want to generate multiple income streams rather than relying on their time as their sole inventory. You can create and grow a business on this platform. My personal link gives you a discount to get started.
Q: Which clinic management platforms are a good fit for Canadian therapists?
Most clinic management platforms are designed for appointment bookings, clinical notes and invoicing. The traditional philosophy of selling your time as your sole inventory is baked into these platforms. The ones that include video conferencing are designed to mimic a doctor’s visit. They might not offer interactive features like playing videos, sharing audio across devices, and using a whiteboard. The following are a good fit for Canadian therapists who are interested in keeping their data in Canada.
- Doxy Me (https://doxy.me/en/):This is promoted as a telemedicine solution for clinics, hospitals and health systems.
- Therabyte (https://therabyte.app/): This software was designed for SLPs and OTs. It features client booking, documentation, goal tracking and invoicing. It's a BC company with servers in Canada and the US. The video conferencing feature is called Therabyte Meet.
- Jane App (https://jane.app/): The Jane platform is for healthcare providers like physiotherapists and chiropractors. It offers online booking, charting, scheduling and invoicing in one system. This company is based in BC and has multiple servers in Canada, plus servers in the UK, the US and Australia. They have an internal payment processing capability which works in Canada and many other countries.
- Owlpractice (https://owlpractice.ca): This Canadian platform offers online clinic management for mental health, allied health, SLPs and OTs. The video conferencing solution is called Owl Video Therapy.
- Practice Better (https://practicebetter.io): This platform was designed by a dietician and her husband. It has a number of features specific to the wellness industry and also offers integrations with wellness apps. It offers integration with Zoom rather than providing a lesser video conferencing solution.
The following platforms are also popular with therapists. Even though the data may be hosted on servers outside of Canada, the level of security is high. Many of these have in-app video conferencing or the option of integrating with Zoom as an add-on. Here are some examples:
- Theraplatform (theraplatform.com)
- Thera-link (https://www.thera-link.com)
- TheraNest (https://theranest.com)
- Simple Practice (simplepractice.com)
- VSee (vsee.com)
- Get Healthy (gethealthie.com)
Warnings about the risks of data storage for Canadian therapists can be confusing.
Q: Why have I seen advertisements that tell Canadian therapists to use keep their data in Canada?
There is no federal law requiring therapists to keep their data in Canada. There are a few provinces that require public agencies to keep their data in Canada. (i.e. Alberta, Quebec, British Columbia and Nova Scotia). This doesn't apply to the data you collect in your private practice. Your business is not a public agency.
Personal Health Information Protection Act (PHIPA): In Ontario, all healthcare providers must comply with their provincial Personal Health Information Protection Act. It makes no difference if they are with a public body or a private company. Ontario has many clinicians in private practice, so the advertisements you find online are largely aimed at the Ontario market.
Ontario’s PHIPA states that a company in Canada that outsources information processing to the United States, where it will be subject to US laws, should notify its customers that the information may be made available to the US government or its agencies. The information should only be used for the original purpose of collection. It should be stored with the same level of password protection and encryption as would be the case in Canada.
While information can cross borders, the Canadian business remains liable for any problems if there is a security breach. This risk places a hardship on Ontario’s healthcare providers, making them understandably cautious.
Q: What is a HIPAA Business Associate Agreement?
HIPAA addresses the problems of a fractured healthcare system in the US, where personal health information (PHI) is constantly being passed between healthcare providers, health insurers and health exchange organizations.
HIPAA Business Associate Agreement (BAA): The purpose of the BAA in HIPAA is to ensure that there is an unbroken chain of responsibility for any personal health information (PHI) that may be “touched” by a vendor and/or service provider. In other words, the law forces the big players to meet a common standard. The agreement is a method of sharing the risk and is, essentially, a promise to be accountable should a breach take place.
Not all providers for video conferencing software are willing to share the risk. For example, Apple and Skype have deliberately chosen not to take on these risks.
Q: Do I need the expensive healthcare version of Zoom?
It depends.
Zoom has three features which use cloud storage:
- Storing recordings in the cloud
- Creating user accounts for clients, which requires their name and email
- Texting with clients in the Zoom chat window
As a clinician in Canada, it is your responsibility to understand your obligations and goals. Are you required to keep your data in Canada? Are you running a sole practice? Are you responsible for a large workforce?
If you are required to keep your data in Canada, the free version of Zoom might still be the best option for you. Simply avoid using the chat feature in ZOOM and download your recordings to your computer instead of storing them in the cloud. Use a password and the waiting room feature. This prevents people from entering your session without permission. Your clients won’t need to create accounts. None of their data will be stored in the cloud. Once you have this set up, it works every time.
If you are with an agency or clinic, there is more risk. Your workforce might not be diligent about doing the manual steps that I just mentioned. In that case, you might want a paid account with Zoom, with a signed Business Associate Agreement. Cloud recording will be disabled and encrypted chat will be enabled. User accounts can be deleted. Notice that encrypted chat would still store messages in the cloud so you should avoid the chat feature.
