What are the Canadian legal requirements for privacy protection?
Q: Why have I seen advertisements that tell Canadian therapists to use keep their data in Canada?
There is no federal law requiring therapists to keep their data in Canada. There are a few provinces that require public agencies to keep their data in Canada. (i.e. Alberta, Quebec, British Columbia and Nova Scotia). This doesn't apply to the data you collect in your private practice. Your business is not a public agency.
Personal Health Information Protection Act (PHIPA): In Ontario, all healthcare providers must comply with their provincial Personal Health Information Protection Act. It makes no difference if they are with a public body or a private company. Ontario has many clinicians in private practice, so the advertisements you find online are largely aimed at the Ontario market.
Ontario’s PHIPA states that a company in Canada that outsources information processing to the United States, where it will be subject to US laws, should notify its customers that the information may be made available to the US government or its agencies. The information should only be used for the original purpose of collection. It should be stored with the same level of password protection and encryption as would be the case in Canada.
While information can cross borders, the Canadian business remains liable for any problems if there is a security breach. This risk places a hardship on Ontario’s healthcare providers, making them understandably cautious.
Q: What is a HIPAA Business Associate Agreement?
HIPAA addresses the problems of a fractured healthcare system in the US, where personal health information (PHI) is constantly being passed between healthcare providers, health insurers and health exchange organizations.
HIPAA Business Associate Agreement (BAA): The purpose of the BAA in HIPAA is to ensure that there is an unbroken chain of responsibility for any personal health information (PHI) that may be “touched” by a vendor and/or service provider. In other words, the law forces the big players to meet a common standard. The agreement is a method of sharing the risk and is, essentially, a promise to be accountable should a breach take place.
Not all providers for video conferencing software are willing to share the risk. For example, Apple and Skype have deliberately chosen not to take on these risks.
Q: Do I need the expensive version of Zoom which gives me a Business Associate Agreement? This is advertised as being in compliance with HIPAA (US), PIPEDA (Canada) and PHIPA (Ontario).
It depends.
As I stated earlier, Zoom has three features which use cloud storage.
- Storing recordings in the cloud
- Creating user accounts for clients, which requires their name and email
- Texting with clients in the Zoom chat window
As a clinician in Canada, it is your responsibility to understand your obligations and goals. Are you required to keep your data in Canada? Are you running a sole practice? Are you responsible for a large workforce?
If you are required to keep your data in Canada, the free version of Zoom might still be the best option for you. Simply avoid using the chat feature in ZOOM and download your recordings to your computer instead of storing them in the cloud. Use a password and the waiting room feature. This prevents people from entering your session without permission. Your clients won’t need to create accounts. None of their data will be stored in the cloud. Once you have this set up, it works every time.
If you are with an agency or clinic, there is more risk. Your workforce might not be diligent about doing the manual steps that I just mentioned. In that case, you might want a paid account with Zoom, with a signed Business Associate Agreement. Cloud recording will be disabled and encrypted chat will be enabled. User accounts can be deleted. Notice that encrypted chat would still store messages in the cloud so you should avoid the chat feature.
