Privacy protection laws apply when a therapist is sending out marketing messages.
Q: If I collect leads using an online form on a website, where does that data go?
As a service provider, you will collect leads from the public. If you use an online form, the data entered on such forms goes to the server that is hosting your website, or to the server hosting your form builder app. It is possible to store this data on a server in Canada if you choose your software and apps carefully.
If you use Google apps or surveys, for instance, all the information your leads have entered on your forms will be processed by US based servers.
Q: How do I protect the data I am collecting on my website?
People will be reluctant to use your online form if your site is not secure. This is revealed to the public in the URL by a lock icon and then https://. If your website doesn’t have this yet, contact your hosting company to upgrade to a higher level of security.
HTTPS provides what is called "encryption in transit". This means that the data and communications between a browser and website server are in an encrypted format, so if these packets of data are intercepted, they cannot be read or tampered with.
Q: Can I send out bulk email campaigns or newsletters?
It is not legal to send advertising messages to people who don’t want to hear from you. The very first step is to build a robust list of names and email addresses. These leads should be people who have filled in an online form or interacted with you or your business.
Transactional email programs like Office 365 Exchange Online work best if the person you are emailing already has your email address in their list of contacts. Your message will reach the person’s inbox.
If you try to use a transactional email program to reach a group of people, you will be limited to a small number of recipients. If you try to send to more people, you may get blocked from sending emails. Regular transactional email programs are not designed for sending bulk campaigns.
You should use a bulk email program to send news and offers to the public. You can also create drip campaigns and automatic responses using this type of email software. Properly formatted email campaigns have an unsubscribe link. You should also provide a link with some identifying information about your business. If these two links are missing from your email campaigns, your messages with be identified as SPAM.
I recommend the AttractWell platform for therapists who want their website, marketing and online curriculum to be integrated. You don't need to waste time entering names and email addresses. That information is automatically stored in the contact list in your dashboard. You can send out single messages, bulk campaigns and customized campaign sequences using domain name email.
The risks of email make it important to comply with privacy protection laws.
Q: Can I use Office 365, which is cloud-based? How do I know where Office 365 is storing my email messages and documents?
Office 365 stores your messages and data on your personal computer and syncs this with storage on a server. Recently, Office 365 has made it possible for Canadians to use servers in Canada, rather than global servers. Skype for Business was rebranded as Microsoft Teams.
Q: Can I use Gmail to interact with clients? Can I use cloud-based apps and cloud-based storage such as Dropbox or Google Drive?
If you are employed by a public body in BC, you shouldn’t use Gmail because it is a cloud-based application which runs from global servers. This is also the case for cloud-based apps and cloud-storage.
If you work in the private sector and you don’t have any contracts that require you to follow FOIPPA, you can use Gmail, Dropbox, Google Drive and countless other cloud-based apps. Cloud storage is helpful if you want to access your data from more than one device. It also makes it easy to share data with people in other locations.
Q: I work for a government agency that blocks me from getting any referral documents that are cloud-based. Referrals must be faxed in. Why is this?
Fax machines provide direct communication. If a document is faxed from one place to another, it can be accompanied by an immediate receipt stating that it was received. This is the main reason why health care providers maintain the use of fax machines to transmit sensitive information.
Some health authorities are allowing referral packages to be sent by email. The sender starts by checking that the message will go to the correct person by sending an initial email with a basic greeting. The recipient responds, confirming the identity of the receiver. Once this loop is established, permission to send a whole referral package by email is granted.
Q: Can a private practice accept referrals by email?
Yes, private sector organizations are permitted to send and receive information using email and other cloud-based services. Use services that are encrypted, and password protected.
Let's compare the video conferencing apps that are commonly used by private practice therapists.
Q: Are there any Canadian video conferencing platforms?
This is not the right question. To the best of my understanding, it doesn’t matter where the platform or server is located if the sessions are protected from unwanted participants, the FBI, a malicious hacker and so on. If you are trying to comply with FOIPPA, the first thing you need is a platform which offers encryption so that your sessions can’t be intercepted. The second thing you need is assurance that no client data will be stored on a server outside of Canada.
Q: Is Microsoft Teams recommended for telepractice?
Skype for Business was purchased by Microsoft and has been rebranded as Microsoft Teams. At the time of this writing, BC’s public SLPs were using Microsoft Teams because it was part of Office 365, which gave users the option to keep data on a server in Canada.
In 2018, before the changes ushered in by the pandemic, I listened to some SLPs describe their experiences in trying to use Skype for Business for online sessions with clients. BC's provincial health authorities were trying to offer telepractice services within the mandate to keep data on servers in Canada.
Here are two examples of how difficult this was:
Clients who were participating in telepractice through a health authority had to travel to a site that had clinic space and the necessary technology for telepractice sessions. The appointment was booked by a clerk who managed the schedules of the SLP, the clinic space, and an assistant who could log into Skype for Business and connect with the SLP. The client couldn’t connect from home.
Clients were offered the option of speech language therapy by telepractice instead of having to travel to a hospital outpatient department. The client was responsible for providing a laptop or tablet and a high-speed internet connection. The health authority’s IT department created a Skype for Business ID and password for the client. The client had to bring their laptop or tablet to an initial onsite session. Staff from the health authority installed the software and trained the client to login. The client could then participate in telepractice sessions from home, provided that a reliable helper with good computer skills was available to help. Phone calls were used to book appointments for telepractice sessions. Support staff were required for this.
The pandemic pushed institutions toward practical solutions that would allow clients and therapists to connect more easily online.
Q: Can I use ZOOM, Skype or FaceTime?
If a platform provides encryption and password protection, it meets the federal requirements in PIPEDA and the provincial requirements in PIPA BC; however, if a platform stores data about clients in the cloud, it won’t meet the provincial requirements in FOIPPA.
There are many platforms that offer online webcam sessions. Here are some that you are probably familiar with:
ZOOM Cloud Meetings: Zoom can run from a browser without downloading anything to a client’s computer. The creates a basic version of Zoom without all the features. The more typical way that people use Zoom is to download components of the program onto their computer and then enter a session. There are regular updates to the software, so users are expected to refresh the download periodically. As the clinician hosting the session, you can’t avoid these downloads.
There are pros and cons. If your employer prohibits you from downloading programs onto your office computer, you won’t be able to use Zoom without permission to install the program. The advantage of this download, however, is that Zoom is stable even when bandwidth is poor.
You can use the free version of ZOOM without storing any data about your clients in the cloud. The free version of ZOOM gives you two-way encryption. You have the option of using a waiting room and admitting clients into the session manually. You can also protect your sessions with a password.
- ZOOM Cloud Meetings https://zoom.us
Skype: All Skype-to-Skype voice, video, file transfers and instant messages are encrypted. This protects you from potential eavesdropping by malicious users. If you make a call from Skype to mobile and landline phones, the part of your call that takes place over the PSTN (the ordinary phone network) is not encrypted. Skype-to-Skype requires users to set up accounts, so your clients would have to store their name, email and possibly a picture in the cloud.
- SKYPE https://skype.com
FaceTime: The FaceTime app works on IOS devices. It is private because your calls are protected using end-to-end encryption, so there is no way someone outside of your call could access your call. Calls are not recorded, and no part of your calls are sent to or stored by Apple. Only you and the person you call can join the call. FaceTime contents are stored in the cloud.
- FaceTime https://apps.apple.com/ca/facetime
Q: Which video conferencing app do your recommend?
I currently recommend the ZOOM Cloud Meetings App for speech language pathologists in private practice in BC because it is free and has all the features you need. The high quality of the audio-visual transmissions in ZOOM makes it ideal for speech language therapy. The screen share feature is versatile and robust.
Zoom works well for the level of interaction needed in speech language therapy. It is the only video conferencing platform which allows both participants to share the audio of their device when they are screen sharing. I had clients who used online software in therapy. If they were having problems, I could watch and listen while they logged into an assignment. I could see why they were having problems. It was like being in the room with them.
Both the free account and the ZOOM Pro account will meet the privacy requirements of FOIPPA if you are careful not to store any data about clients in the cloud. Specifically, if your workplace does not allow data storage on Zoom’s global servers, you can take steps to safeguard against this.
Only three of Zoom’s features use cloud storage. You can manually turn these off. These are:
- Storing recordings in the cloud
- Creating user accounts for clients, which requires their name and email
- Texting with clients in the Zoom chat window
Keep in mind that you automatically get encryption with all versions, so you don’t need a paid account to get encryption.
Q: Do clients need to be aware that I am recording and what I am doing with recordings? Do clinicians need to be aware of when clients are recording and what they are doing with recordings?
It’s yes for both. The platform that you are using for telepractice should have a setting that lets the person know that they are being recorded. In advance, you should get signed consent for making video recordings.
Most telepractice platforms make it easy to create video recordings. I always asked for consent to make recordings while providing treatment. All my telepractice clients agreed to this because it gave us an objective record of progress.
Q: Where should I store my video recordings?
Store your videos on a secure drive or server. If you work in private practice with data that you have collected, as opposed to data from BC’s government, you can use cloud storage.
If you work for a public agency, your employer might have a specific server for your videos. If not, be very careful about cloud storage because this might not be permitted. Remember that compliance with FOIPPA means keeping your data within Canada.
In any work situation, you can download them to your local computer and then use password protection for your computer and even for the specific folder.
Warnings about the risks of data storage for Canadian therapists can be confusing.
Q: Why have I seen advertisements that tell Canadian therapists to use keep their data in Canada?
There is no federal law requiring therapists to keep their data in Canada. There are a few provinces that require public agencies to keep their data in Canada. (i.e. Alberta, Quebec, British Columbia and Nova Scotia). This doesn't apply to the data you collect in your private practice. Your business is not a public agency.
Personal Health Information Protection Act (PHIPA): In Ontario, all healthcare providers must comply with their provincial Personal Health Information Protection Act. It makes no difference if they are with a public body or a private company. Ontario has many clinicians in private practice, so the advertisements you find online are largely aimed at the Ontario market.
Ontario’s PHIPA states that a company in Canada that outsources information processing to the United States, where it will be subject to US laws, should notify its customers that the information may be made available to the US government or its agencies. The information should only be used for the original purpose of collection. It should be stored with the same level of password protection and encryption as would be the case in Canada.
While information can cross borders, the Canadian business remains liable for any problems if there is a security breach. This risk places a hardship on Ontario’s healthcare providers, making them understandably cautious.
Q: What is a HIPAA Business Associate Agreement?
HIPAA addresses the problems of a fractured healthcare system in the US, where personal health information (PHI) is constantly being passed between healthcare providers, health insurers and health exchange organizations.
HIPAA Business Associate Agreement (BAA): The purpose of the BAA in HIPAA is to ensure that there is an unbroken chain of responsibility for any personal health information (PHI) that may be “touched” by a vendor and/or service provider. In other words, the law forces the big players to meet a common standard. The agreement is a method of sharing the risk and is, essentially, a promise to be accountable should a breach take place.
Not all providers for video conferencing software are willing to share the risk. For example, Apple and Skype have deliberately chosen not to take on these risks.
Q: Do I need the expensive healthcare version of Zoom?
It depends.
Zoom has three features which use cloud storage:
- Storing recordings in the cloud
- Creating user accounts for clients, which requires their name and email
- Texting with clients in the Zoom chat window
As a clinician in Canada, it is your responsibility to understand your obligations and goals. Are you required to keep your data in Canada? Are you running a sole practice? Are you responsible for a large workforce?
If you are required to keep your data in Canada, the free version of Zoom might still be the best option for you. Simply avoid using the chat feature in ZOOM and download your recordings to your computer instead of storing them in the cloud. Use a password and the waiting room feature. This prevents people from entering your session without permission. Your clients won’t need to create accounts. None of their data will be stored in the cloud. Once you have this set up, it works every time.
If you are with an agency or clinic, there is more risk. Your workforce might not be diligent about doing the manual steps that I just mentioned. In that case, you might want a paid account with Zoom, with a signed Business Associate Agreement. Cloud recording will be disabled and encrypted chat will be enabled. User accounts can be deleted. Notice that encrypted chat would still store messages in the cloud so you should avoid the chat feature.
Here are the five guiding principles for Canadian therapists.
1st Principle: The Personal Information Protection and Electronic Documents Act (PIPEPA) applies to all of Canada
As a service provider in Canada, you are required to comply with PIPEDA, which is a federal law that has some similarities to HIPAA in the US. Whenever you obtain personal information about a potential client, you are expected to protect that information with three types of safeguards:
- Administrative safeguards identify all written, spoken or electronic personal information and prevent that information from being shared with people who should not have access to it. For example, a consent form for the release of information is an administrative safeguard.
- Physical safeguards like locked doors and employee badges prevent unauthorized people from being able to access workstations and electronic media.
- Technical safeguards, like user IDs, passwords and data encryption, keep the data hidden until an authorized recipient opens it.
There is no federal law which states that personal information or personal health information must stay on a server in Canada.
2nd Principle: In most provinces, the privacy protection laws for data collected by the private sector have been deemed as substantially similar to PIPEDA, the federal law.
If you are a therapist working in private practice, you are working in the private sector, not the public sector. Use the link below to get the details for each region of Canada. You will see that in most parts of Canada, the privacy protection laws for the private sector mirror PIPEDA. There is no provincial or regional law which states that the data you collect in your business must stay on a server in Canada. Businesses are permitted to use programs that run on global servers, such as email, online programs and cloud storage.
In the province of British Columbia, the privacy protection law for the private sector is the Personal Information Privacy Act (PIPA). If your business collects personal information from clients and simply bills a government funding source, PIPA applies. For example, if you are a therapist in BC, your data from clients funded by the Autism Funding Program or At Home Medical Benefits can reside on global servers.
3rd Principle: In a few provinces, the privacy protection laws for data collected by the public sector state that the data must stay in Canada.
All Canadian provinces and territories have enacted legislation that regulates the collection, use and disclosure of personal information in the public sector. Specifically, this is any data that the local government has collected through public schools, health authorities, public service agencies, the courts and so on.
Let’s use British Columbia as our example again. BC protects public data with FOIPPA (Freedom of Information and Protection of Privacy Act). Public bodies are required to comply with this law, which states that data collected by a public body must stay in Canada. This has far-reaching implications for the use of email, online programs and cloud storage. Note that this is not a federal law; it is specific to BC.
Nova Scotia, Quebec and Alberta have similar laws. These were enacted in response to the Patriot Act in the US. The following article provides a summary of how and why these provincial laws exist.
4th Principle: The Personal Health Information Protection Act (PHIPA) only applies to healthcare professionals in Ontario
If you do online research regarding practice management software for therapists in Canada, you will find marketing messages aimed at Ontario’s healthcare providers. Ontario has a unique privacy protection law which differs substantially from the rest of Canada. All healthcare data is protected by the Personal Health Information Protection Act (PHIPA), regardless of whether it was collected by a clinician in the public sector or the private sector.
PHIPA states that patients must know where their healthcare data is being stored and must be informed if a breach occurs. This law does not state that healthcare data must reside on servers in Canada. There is a strong inclination to do so however, because Canadian healthcare providers are held responsible for full disclosure to the public.
5th Principle: Provincial and regional governments remain responsible for the data they own and subsequently share with therapists.
Pay close attention! If you are a private practice therapist in Canada, you must understand and comply with this principle. In British Columbia, Nova Scotia, Quebec and Alberta, it is important to distinguish between data collected by your business versus data collected by your provincial or regional government and then shared with your business.
If you are a contractor for a public body, there may be a privacy protection schedule attached to your contract. For example, a private practice therapist in BC might be surprised to learn about the obligation to comply with BC’s Freedom of Information and Protection of Privacy Act (FOIPPA) in order to work with clients from government programs such as WorkSafe BC or the Community Brain Injury Program.
This is because the public body remains responsible for the personal information that it owns and subsequently shares with you. There might be a government case manager involved, or case files that are passed to the therapist. Note that the government does not own basic contact information, like a person’s name, email and address.
Become a Confident Telepractice Professional
I hope my advice has helped you become more confident.
Stay in compliance with the privacy protection laws that apply to your work situation. If you have more than one workplace, do your best to understand the different regulations that apply. Stay informed so that you can avoid anxiety, conflicts and unnecessary expenses.
