Here are the five guiding principles for Canadian therapists.
1st Principle: The Personal Information Protection and Electronic Documents Act (PIPEPA) applies to all of Canada
As a service provider in Canada, you are required to comply with PIPEDA, which is a federal law that has some similarities to HIPAA in the US. Whenever you obtain personal information about a potential client, you are expected to protect that information with three types of safeguards:
- Administrative safeguards identify all written, spoken or electronic personal information and prevent that information from being shared with people who should not have access to it. For example, a consent form for the release of information is an administrative safeguard.
- Physical safeguards like locked doors and employee badges prevent unauthorized people from being able to access workstations and electronic media.
- Technical safeguards, like user IDs, passwords and data encryption, keep the data hidden until an authorized recipient opens it.
There is no federal law which states that personal information or personal health information must stay on a server in Canada.
2nd Principle: In most provinces, the privacy protection laws for data collected by the private sector have been deemed as substantially similar to PIPEDA, the federal law.
If you are a therapist working in private practice, you are working in the private sector, not the public sector. Use the link below to get the details for each region of Canada. You will see that in most parts of Canada, the privacy protection laws for the private sector mirror PIPEDA. There is no provincial or regional law which states that the data you collect in your business must stay on a server in Canada. Businesses are permitted to use programs that run on global servers, such as email, online programs and cloud storage.
In the province of British Columbia, the privacy protection law for the private sector is the Personal Information Privacy Act (PIPA). If your business collects personal information from clients and simply bills a government funding source, PIPA applies. For example, if you are a therapist in BC, your data from clients funded by the Autism Funding Program or At Home Medical Benefits can reside on global servers.
3rd Principle: In a few provinces, the privacy protection laws for data collected by the public sector state that the data must stay in Canada.
All Canadian provinces and territories have enacted legislation that regulates the collection, use and disclosure of personal information in the public sector. Specifically, this is any data that the local government has collected through public schools, health authorities, public service agencies, the courts and so on.
Let’s use British Columbia as our example again. BC protects public data with FOIPPA (Freedom of Information and Protection of Privacy Act). Public bodies are required to comply with this law, which states that data collected by a public body must stay in Canada. This has far-reaching implications for the use of email, online programs and cloud storage. Note that this is not a federal law; it is specific to BC.
Nova Scotia, Quebec and Alberta have similar laws. These were enacted in response to the Patriot Act in the US. The following article provides a summary of how and why these provincial laws exist.
4th Principle: The Personal Health Information Protection Act (PHIPA) only applies to healthcare professionals in Ontario
If you do online research regarding practice management software for therapists in Canada, you will find marketing messages aimed at Ontario’s healthcare providers. Ontario has a unique privacy protection law which differs substantially from the rest of Canada. All healthcare data is protected by the Personal Health Information Protection Act (PHIPA), regardless of whether it was collected by a clinician in the public sector or the private sector.
PHIPA states that patients must know where their healthcare data is being stored and must be informed if a breach occurs. This law does not state that healthcare data must reside on servers in Canada. There is a strong inclination to do so however, because Canadian healthcare providers are held responsible for full disclosure to the public.
5th Principle: Provincial and regional governments remain responsible for the data they own and subsequently share with therapists.
Pay close attention! If you are a private practice therapist in Canada, you must understand and comply with this principle. In British Columbia, Nova Scotia, Quebec and Alberta, it is important to distinguish between data collected by your business versus data collected by your provincial or regional government and then shared with your business.
If you are a contractor for a public body, there may be a privacy protection schedule attached to your contract. For example, a private practice therapist in BC might be surprised to learn about the obligation to comply with BC’s Freedom of Information and Protection of Privacy Act (FOIPPA) in order to work with clients from government programs such as WorkSafe BC or the Community Brain Injury Program.
This is because the public body remains responsible for the personal information that it owns and subsequently shares with you. There might be a government case manager involved, or case files that are passed to the therapist. Note that the government does not own basic contact information, like a person’s name, email and address.
Become a Confident Telepractice Professional
I hope my advice has helped you become more confident.
Stay in compliance with the privacy protection laws that apply to your work situation. If you have more than one workplace, do your best to understand the different regulations that apply. Stay informed so that you can avoid anxiety, conflicts and unnecessary expenses.
