Maintaining clients over time often involves communication within treatment teams.
Q: Is consent assumed in workplace communication, allowing colleagues to discuss a case?
The key concept to remember is that the data belongs to the organization that has collected it. The organization is responsible for maintaining the confidentiality of the information.
Specific levels of consent are assumed in workplace discussions between colleagues. This is tied to the role and responsibilities of the employee. People working within an organization have access to the internal data that is appropriate for their security clearance level. They are allowed to have case discussions with others that have similar roles and responsibilities.
Organizations are required to have safeguards in place so that people who don't have security clearance cannot access the information. Leaving a confidential file on top of a desk overnight would be inappropriate because the cleaning staff would be able to read that file. Similarly, having a case discussion in a public cafeteria or elevator would be inappropriate. Security badges, locked doors and passwords are all examples of safeguards that protect the privacy of clients.
Q: Should supervisors or students be able to observe telepractice sessions in a clandestine way, without their participation being obvious to the client or clinician?
Sometimes a clandestine observation is better than an interruption which derails the session. Your policy regarding observations should be explained at the beginning. It should be part of the informed consent. ZOOM Cloud Meetings offers this for agency accounts, but not individual accounts.
Q: Can my coworkers see my clinical notes?
Yes, many workplaces use some type of central, secure storage for data so that the data survives long after you are gone. If you retire or move to another job, the information about your past clients will stay with the organization.
Q: My workplace has a VPN which I use when I work from home. What is that?
Here are some definitions that you should know:
Intranet: An intranet is a private LAN accessible only to an organization’s staff. Intranets can act as communication hubs for organizations. If you are an approved employee, you can store information such as clinical records, staff news and announcements centrally and your co-workers will be able to access the information at any time.
Intranet versus Internet: There is one major distinction between an intranet and the Internet: The Internet is an open, public space, while an intranet is designed to be a private space.
Remote Access Server (RAS): A remote access server is a type of server that provides a suite of services to remotely connected users over a network or the Internet. It operates as a central server that connects remote users with an organization's internal local area network (LAN). Thus, an approved employee would be able to log into the private space without being in the building. It allows employees to work remotely.
Virtual Private Network (VPN): A VPN allows you to create a secure connection to another network over the Internet. If you are working for an agency from a remote location, your agency will want to prevent unauthorized people from being able to access the private space. A VPN encrypts everything from end to end and makes it appear as though you are in the same location as the server that you are logging into.
Here are the five guiding principles for Canadian therapists.
1st Principle: The Personal Information Protection and Electronic Documents Act (PIPEPA) applies to all of Canada
As a service provider in Canada, you are required to comply with PIPEDA, which is a federal law that has some similarities to HIPAA in the US. Whenever you obtain personal information about a potential client, you are expected to protect that information with three types of safeguards:
- Administrative safeguards identify all written, spoken or electronic personal information and prevent that information from being shared with people who should not have access to it. For example, a consent form for the release of information is an administrative safeguard.
- Physical safeguards like locked doors and employee badges prevent unauthorized people from being able to access workstations and electronic media.
- Technical safeguards, like user IDs, passwords and data encryption, keep the data hidden until an authorized recipient opens it.
There is no federal law which states that personal information or personal health information must stay on a server in Canada.
2nd Principle: In most provinces, the privacy protection laws for data collected by the private sector have been deemed as substantially similar to PIPEDA, the federal law.
If you are a therapist working in private practice, you are working in the private sector, not the public sector. Use the link below to get the details for each region of Canada. You will see that in most parts of Canada, the privacy protection laws for the private sector mirror PIPEDA. There is no provincial or regional law which states that the data you collect in your business must stay on a server in Canada. Businesses are permitted to use programs that run on global servers, such as email, online programs and cloud storage.
In the province of British Columbia, the privacy protection law for the private sector is the Personal Information Privacy Act (PIPA). If your business collects personal information from clients and simply bills a government funding source, PIPA applies. For example, if you are a therapist in BC, your data from clients funded by the Autism Funding Program or At Home Medical Benefits can reside on global servers.
3rd Principle: In a few provinces, the privacy protection laws for data collected by the public sector state that the data must stay in Canada.
All Canadian provinces and territories have enacted legislation that regulates the collection, use and disclosure of personal information in the public sector. Specifically, this is any data that the local government has collected through public schools, health authorities, public service agencies, the courts and so on.
Let’s use British Columbia as our example again. BC protects public data with FOIPPA (Freedom of Information and Protection of Privacy Act). Public bodies are required to comply with this law, which states that data collected by a public body must stay in Canada. This has far-reaching implications for the use of email, online programs and cloud storage. Note that this is not a federal law; it is specific to BC.
Nova Scotia, Quebec and Alberta have similar laws. These were enacted in response to the Patriot Act in the US. The following article provides a summary of how and why these provincial laws exist.
4th Principle: The Personal Health Information Protection Act (PHIPA) only applies to healthcare professionals in Ontario
If you do online research regarding practice management software for therapists in Canada, you will find marketing messages aimed at Ontario’s healthcare providers. Ontario has a unique privacy protection law which differs substantially from the rest of Canada. All healthcare data is protected by the Personal Health Information Protection Act (PHIPA), regardless of whether it was collected by a clinician in the public sector or the private sector.
PHIPA states that patients must know where their healthcare data is being stored and must be informed if a breach occurs. This law does not state that healthcare data must reside on servers in Canada. There is a strong inclination to do so however, because Canadian healthcare providers are held responsible for full disclosure to the public.
5th Principle: Provincial and regional governments remain responsible for the data they own and subsequently share with therapists.
Pay close attention! If you are a private practice therapist in Canada, you must understand and comply with this principle. In British Columbia, Nova Scotia, Quebec and Alberta, it is important to distinguish between data collected by your business versus data collected by your provincial or regional government and then shared with your business.
If you are a contractor for a public body, there may be a privacy protection schedule attached to your contract. For example, a private practice therapist in BC might be surprised to learn about the obligation to comply with BC’s Freedom of Information and Protection of Privacy Act (FOIPPA) in order to work with clients from government programs such as WorkSafe BC or the Community Brain Injury Program.
This is because the public body remains responsible for the personal information that it owns and subsequently shares with you. There might be a government case manager involved, or case files that are passed to the therapist. Note that the government does not own basic contact information, like a person’s name, email and address.
Become a Confident Telepractice Professional
I hope my advice has helped you become more confident.
Stay in compliance with the privacy protection laws that apply to your work situation. If you have more than one workplace, do your best to understand the different regulations that apply. Stay informed so that you can avoid anxiety, conflicts and unnecessary expenses.
As a business owner, you can't avoid the legalities of online therapy services.
There is a chronological sequence that you will go through with every client, from a public enquiry to an archived case. There are privacy issues throughout this sequence.
Here is an overview of the phases of online service provision and some terms you should become familiar with.
Phase 1: Marketing
Marketing involves interacting with the public to inform people about your services.
Sales Funnel: Your marketing efforts will look like an inverted triangle or funnel, with many people from the public entering at the top and only a limited number making the decision to become your clients.
Landing Page: This page is where the public lands when they click on a link in a search engine. It is different than the home page of your website. A landing page promotes a product or service. The purpose is to collect leads. A blog post can serve as a landing page. Sometimes landing pages have no menu because you don’t want the public to wander away from the page. Many landing pages have a strong call to action which people click in order to get something they want.
Generic Traffic: This means you are not using paid advertising to bring the public to your online content. They are finding the content by searching for it.
Cost Per Click: You might pay for traffic if you are not getting enough generic traffic. Online advertisers put your advertisement in front of an audience. In many cases, you get billed for the number of clicks on the ad. This cost per click is determined by many competitive factors.
Inbound Marketing: People have questions, and they are actively looking online for answers. Inbound marketing means that the public is finding you because they want a solution to a problem. By providing the public with information, you can help them decide if your services are a good fit for them. This is contrasted with traditional marketing which interrupts people and tells them about services they may have no interest in.
Lead: At the very beginning, someone from the general public might find your website, click on a few pages and fill in a form. By doing so, the person has become a lead. Your next step is to interact with that person.
Phase 2: Qualifying
Qualifying is a term that refers to narrowing down leads into potential clients. These people have not purchased services from you yet, but you have collected enough information to know that they meet the requirements for your telepractice.
Sometimes the lead is a family member or agency contact so it can take several interactions before the enquiry narrows down to an actual prospect for your telepractice services.
Support staff might be involved in processing enquiries. This might take place in person rather than via online interactions. There might be some screening that takes place, to ensure that the prospect is a good fit for the telepractice services that you are offering.
Qualified Prospect: This is a person who meets your requirements for telepractice.
Phase 3: Billing
Billing involves getting a commitment and getting paid. You need confidential processes for formal quotes, contract negotiations, funding applications, signatures, storing credit card information, billing accurately, issuing receipts and storing financial records.
Client: A qualified prospect converts to a client when a commitment is made. You offer services or a product and the client accepts your terms.
Conversion: The step of making a commitment to become a client is referred to as a conversion in your sales funnel.
Third Party Funding: The people getting the service are the first party. You are the second party. When the funding is coming from an agency rather than the people getting the service, it is called 'third party funding.'
Phase 4: Onboarding
Onboarding refers to the early phase of working with a new client. Your words and actions will either build rapport or sabotage it. Your new clients will be getting to know you. They will also be experiencing your tech processes and communication tools for the first time.
Buyer’s Remorse: Be mindful that buyer’s remorse often hits. This means that your new client regrets making a commitment. With new telepractice clients, the technology can be overwhelming for the client. Skillfully improving your onboarding process will help you keep clients and build your practice. If you show a lack of professionalism regarding privacy protection, your clients will feel nervous or offended. Make sure you know how to interact as a telepractice professional.
Phase 5: Maintaining
Maintaining clients beyond the first contract will help your business succeed.
Creating Data: While working with an active client, you will create clinical notes, progress reports, email messages and possibly some webcam recordings. All of this is data about your client. Most likely this data will be created in various forms, in various locations.
Accessing Data: You might retire or leave to work elsewhere. Another clinician might have access to all the information you collected about your clients. Eventually a clinician will close the case, but the data will still exist. Your employer or business will still be responsible for maintaining the privacy of that data.
Phase 6: Preserving
Preserving your physical records and online data and keeping all your information confidential remains your responsibility.
Teaching: The data might be viewed by your colleagues, supervisors and administrators. You might want to present interesting cases at a conference or use your recordings to teach students.
Marketing: You might want to use your success stories as testimonials. You might create a press release about your services.
Online therapists need answers about privacy protection.
When I graduated as an SLP, I started working part-time for the Vancouver Health Department and I immediately started seeing private clients. It is fairly common for a speech language pathologist to be employed in more than one setting. Many SLPs have a private practice in addition to a public sector job.
My first boss at the health department was an experienced SLP who taught me about caseload management. Essentially, all the administrative skills that I was learning in my public sector job were directly applicable to my private practice. Obviously, things have changed.
If you want to excel at running a telepractice business, there is a lot to learn! Online therapists need answers.
In BC, the rules for staying legal in your public job are not the same as the rules for staying legal in your business. This document will help you discover the contrasts between the privacy protection laws for public employment versus private employment.
I didn’t know there was a difference until 2018. From 2014 until 2018, I was running a telepractice business without much interaction with professional colleagues.
In 2018, I joined a telepractice interest group organized through Speech and Hearing BC. I was surprised that employees in government jobs were required to follow strict policies, such as storing people’s personal information only on servers in Canada. Was I breaking the law by using a telepractice platform hosted on a global server?
In researching this question, I learned that telepractice providers in other regions of Canada faced different legal requirements than I did as a business owner in BC. If you are searching for answers online, you might come across advice intended for Ontario’s health care providers. Be judicious. It might not apply to your situation.
Some of the provincial privacy protection laws in Canada cause confusion for therapists.
Q: Does BC’s Freedom of Information and Protection of Privacy Act (FOIPPA) apply to me?
Freedom of Information and Protection of Privacy Act (FOIPPA): BC's provincial law that applies to public bodies is FOIPPA. Public bodies are defined as any organization that carries out the functions of government, like a public-school board, a public hospital or health authority.
FOIPPA states that personal information collected by a public body must be stored on a server in Canada. Nova Scotia, Quebec and Alberta have similar provincial laws, also stating that public data must stay in Canada.
SLPs employed in public jobs are being told that most online telepractice platforms are not secure enough and therefore not permitted. Likewise, they face prohibitions against using email with clients or saving any data to a cloud-based application.
Personal Information Protection Act (PIPA): Private sector organizations in BC are required to comply with PIPA BC. Note that private practices in audiology and speech language pathology, healthcare companies and private treatment centers are all private sector organizations. Private hospitals, unlike public hospitals, are not government operated. Even BC’s doctor’s offices are private businesses and are therefore not required to comply with FOIPPA but are required to comply with PIPA.
A key difference is that there is no requirement to store data on servers located in Canada. There are no prohibitions against using online telepractice platforms, email and cloud-based data storage.
PIPA BC outlines how all of BC’s private sector organizations must handle the personal information of its employees and the public (i.e. customers) and creates common-sense rules about collecting, using and disclosing that personal information. Many other provinces have laws for the private sector that cover the same principles as Canada’s federal law known as PIPEDA.
Q: I’m a private practice SLP working as a service provider for WorkSafe BC. Why does WorkSafe BC expect me to comply with FOIPPA?
WorkSafe BC is a provincial agency which gets involved when workers are injured on the job. WorkSafe BC has case coordinators and managers who arrange rehab contracts with service providers. As part of the referral process, these WorkSafe BC employees send case files to service providers.
Rehab professionals go through an application process to become WorkSafe BC service providers. Because the provincial government owns and controls the case files about clients, the government is responsible for what happens to that data. WorkSafe BC imposes a legal requirement upon private sector contractors, ensuring that these private entities offer the same level of privacy protection as the public sector.
This is not optional. FOIPPA states that a public body has a continuing obligation to ensure that, when dealing with a business that it has retained under contract to perform services, the business signs a contract promising to comply with FOIPPA’s privacy requirements. The only circumstance in which a privacy protection schedule may not be required is if a contract clearly states that the government will not own or control any personal information involved.
Q: I do contracts for the Community Brain Injury Program for Children and Youth, which is run by the BC Center for Ability, a public body. Is that why I must agree to a long list of privacy requirements every year?
Yes, government ministries and other public sector organizations are instructed to attach a privacy protection schedule to any contracts that involve personal information. The privacy protection schedule ensures that the high privacy standards set by the FOIPPA are maintained for personal information held by service providers. Specifically, BC’s Privacy Protection Schedule lays out the security, storage, use, retention, disclosure requirements and limitations required by law, as well as a clause for termination for non-compliance.
Alternatively, a public body may be able to use a modified version of the privacy protection schedule in situations where the original wording of the privacy protection schedule template does not capture the circumstances or context of the contract. The public body seeking approval for a modified privacy protection schedule must first obtain consent from the Privacy, Compliance and Training Branch and provide the following information:
- the modified version of the privacy protection schedule, and
- provide a detailed explanation of why an alternative is required.
It is important to note that BC’s Privacy, Compliance and Training Branch will only consider changes that are equivalent to or better than the requirements of the standard privacy protection schedule.
Q: I am a Registered Autism Service Provider (i.e. RASP) for BC’s Autism Funding Program. I do a lot of video conferencing with clients. It is featured in their online search function, so it must be permitted, right?
Yes, it is legal for private practice speech language pathologists on the RASP list to do video conferencing with clients funded by the Autism Funding Program. Furthermore, these professionals can store data about clients on global servers and use email to interact with clients.
In this situation, PIPA applies and there is no government mandate to ensure that service providers comply with FOIPPA. This is because the Autism Funding Program does not give personal information about clients to service providers. You will recall that the government does not own or control contact information (e.g. name, phone, address, email). It is parents who hire the service providers and sign the contract to authorize payment to the service providers. The provincial government simply provides a billing authorization number for the contract with the service provider.
Similarly, a private doctor’s office obtains the medical information directly from the patient. Doctors can bill the Medical Services Plan using a billing code. Private doctors are not contractors or service providers for the provincial government.
Q: Does that mean that the determining factor is the source of the data, not the source of the funding?
Yes, exactly. As a speech language pathologist in private practice, you might have multiple referral sources and various third-party payers. When the data is coming from a public body, FOIPPA will apply if you have been asked to sign a contract to that effect. When the data is coming from private body or directly from clients, PIPA will apply.
