Online Therapists Need Answers

Online Therapists Need Answers

Online therapists need answers about privacy protection.

When I graduated as an SLP, I started working part-time for the Vancouver Health Department and I immediately started seeing private clients. It is fairly common for a speech language pathologist to be employed in more than one setting. Many SLPs have a private practice in addition to a public sector job. 
 
My first boss at the health department was an experienced SLP who taught me about caseload management. Essentially, all the administrative skills that I was learning in my public sector job were directly applicable to my private practice. Obviously, things have changed.
 
If you want to excel at running a telepractice business, there is a lot to learn! Online therapists need answers.
 
In BC, the rules for staying legal in your public job are not the same as the rules for staying legal in your business. This document will help you discover the contrasts between the privacy protection laws for public employment versus private employment.
 
I didn’t know there was a difference until 2018. From 2014 until 2018, I was running a telepractice business without much interaction with professional colleagues. 
 
In 2018, I joined a telepractice interest group organized through Speech and Hearing BC. I was surprised that employees in government jobs were required to follow strict policies, such as storing people’s personal information only on servers in Canada. Was I breaking the law by using a telepractice platform hosted on a global server?
 
In researching this question, I learned that telepractice providers in other regions of Canada faced different legal requirements than I did as a business owner in BC. If you are searching for answers online, you might come across advice intended for Ontario’s health care providers. Be judicious. It might not apply to your situation.



Provincial Privacy Protection Laws

Provincial Privacy Protection Laws

Some of the provincial privacy protection laws in Canada cause confusion for therapists.

Q: Does BCs Freedom of Information and Protection of Privacy Act (FOIPPA) apply to me?

Freedom of Information and Protection of Privacy Act (FOIPPA): BC's provincial law that applies to public bodies is FOIPPA. Public bodies are defined as any organization that carries out the functions of government, like a public-school board, a public hospital or health authority. 
 
FOIPPA states that personal information collected by a public body must be stored on a server in Canada. Nova Scotia, Quebec and Alberta have similar provincial laws, also stating that public data must stay in Canada.
 
SLPs employed in public jobs are being told that most online telepractice platforms are not secure enough and therefore not permitted. Likewise, they face prohibitions against using email with clients or saving any data to a cloud-based application.
 
Personal Information Protection Act (PIPA): Private sector organizations in BC are required to comply with PIPA BC. Note that private practices in audiology and speech language pathology, healthcare companies and private treatment centers are all private sector organizations. Private hospitals, unlike public hospitals, are not government operated. Even BC’s doctor’s offices are private businesses and are therefore not required to comply with FOIPPA but are required to comply with PIPA.
 
A key difference is that there is no requirement to store data on servers located in Canada. There are no prohibitions against using online telepractice platforms, email and cloud-based data storage.
 
PIPA BC outlines how all of BC’s private sector organizations must handle the personal information of its employees and the public (i.e. customers) and creates common-sense rules about collecting, using and disclosing that personal information. Many other provinces have laws for the private sector that cover the same principles as Canada’s federal law known as PIPEDA.

Q: Im a private practice SLP working as a service provider for WorkSafe BC. Why does WorkSafe BC expect me to comply with FOIPPA?

WorkSafe BC is a provincial agency which gets involved when workers are injured on the job. WorkSafe BC has case coordinators and managers who arrange rehab contracts with service providers. As part of the referral process, these WorkSafe BC employees send case files to service providers. 
 
Rehab professionals go through an application process to become WorkSafe BC service providers. Because the provincial government owns and controls the case files about clients, the government is responsible for what happens to that data. WorkSafe BC imposes a legal requirement upon private sector contractors, ensuring that these private entities offer the same level of privacy protection as the public sector.
 
This is not optional. FOIPPA states that a public body has a continuing obligation to ensure that, when dealing with a business that it has retained under contract to perform services, the business signs a contract promising to comply with FOIPPA’s privacy requirements. The only circumstance in which a privacy protection schedule may not be required is if a contract clearly states that the government will not own or control any personal information involved.

Q: I do contracts for the Community Brain Injury Program for Children and Youth, which is run by the BC Center for Ability, a public body. Is that why I must agree to a long list of privacy requirements every year?

Yes, government ministries and other public sector organizations are instructed to attach a privacy protection schedule to any contracts that involve personal information. The privacy protection schedule ensures that the high privacy standards set by the FOIPPA are maintained for personal information held by service providers. Specifically, BC’s Privacy Protection Schedule lays out the security, storage, use, retention, disclosure requirements and limitations required by law, as well as a clause for termination for non-compliance. 
 
Alternatively, a public body may be able to use a modified version of the privacy protection schedule in situations where the original wording of the privacy protection schedule template does not capture the circumstances or context of the contract. The public body seeking approval for a modified privacy protection schedule must first obtain consent from the Privacy, Compliance and Training Branch and provide the following information:
 
  • the modified version of the privacy protection schedule, and
  • provide a detailed explanation of why an alternative is required. 
It is important to note that BC’s Privacy, Compliance and Training Branch will only consider changes that are equivalent to or better than the requirements of the standard privacy protection schedule. 

Q: I am a Registered Autism Service Provider (i.e. RASP) for BCs Autism Funding Program. I do a lot of video conferencing with clients. It is featured in their online search function, so it must be permitted, right?

Yes, it is legal for private practice speech language pathologists on the RASP list to do video conferencing with clients funded by the Autism Funding Program. Furthermore, these professionals can store data about clients on global servers and use email to interact with clients.
In this situation, PIPA applies and there is no government mandate to ensure that service providers comply with FOIPPA. This is because the Autism Funding Program does not give personal information about clients to service providers. You will recall that the government does not own or control contact information (e.g. name, phone, address, email). It is parents who hire the service providers and sign the contract to authorize payment to the service providers. The provincial government simply provides a billing authorization number for the contract with the service provider.
 
Similarly, a private doctor’s office obtains the medical information directly from the patient. Doctors can bill the Medical Services Plan using a billing code. Private doctors are not contractors or service providers for the provincial government.

Q: Does that mean that the determining factor is the source of the data, not the source of the funding?

Yes, exactly. As a speech language pathologist in private practice, you might have multiple referral sources and various third-party payers. When the data is coming from a public body, FOIPPA will apply if you have been asked to sign a contract to that effect. When the data is coming from private body or directly from clients, PIPA will apply. 



Risks of Data Storage

Risks of Data Storage

Canadian therapists should be aware of the risks of data storage.

Q: Where can data be stored?

Often the same data is stored in more than one place. It is common to have an automatic back-up system which makes a copy of the information stored on local computers. Storing data in the cloud introduces a privacy risk. Many companies in Canada outsource data processing to the US. Lots of cloud-based programs are stored on US servers.

In general, data can be stored on:
  • local computers, in the RAM and on the drive
  • external drives, USB flash drives, memory cards
  • servers
  • the browser you are using to access internet sites, the sites you visit and the software you are accessing online.
Server: A server is a computer program that provides a service to other computer programs. In a data centre, the physical computer which runs the server program is also frequently referred to as a server. If you work for a school district, health authority or hospital, your organization will have servers in specific locations and you will be able to store information on one of those servers rather than on your local computer.
 
LAN: A local area network is a computer network within a small geographical area such as a home, school, computer laboratory, office building or group of buildings. If your place of employment has a LAN, you will have inter-connected workstations and personal computers which are each capable of accessing and sharing data and devices such as printers, scanners and a central server.

Q: Why does data storage entail privacy risks?

The Internet can best be understood as a community of computers that are allowed to connect to each other, and any computer on the Internet can connect to any other computer at any time it wishes. Through infrastructure that spans the globe, there is one single, unified Internet that all computers connect to, allowing anyone connected to share and access all the information that they choose to. Thus, this open availability of data creates a huge privacy risk.

Q: What does terrorism and FBI surveillance have to do with our privacy laws in Canada?

The US passed the Patriot Act shortly after the terrorist attacks on Sept 11, 2001. It allows the US government to eavesdrop on face to face, telephone and electronic communication without cause. This includes banking information and employee records, essentially any personal information. The critical point is that any information stored on servers in the US is available for surveillance by the FBI without the person’s knowledge or consent. 

Here in Canada, that level of surveillance makes our government uncomfortable. 


Q: How would the FBI gain access to data on my clients?

Many companies in Canada outsource data processing to the US. Lots of cloud-based programs are stored on US servers.
 
Cloud-Based: This is a term that refers to applications, services or resources made available to users on demand via the Internet from a cloud computing provider's server.
 
Global Server Load Balancing (GSLB): This is the practice of distributing Internet traffic amongst many connected servers dispersed around the world. The benefits of GSLB include increased reliability and reductions in latency. For example, email programs like Gmail, Hotmail, and Yahoo run from global servers.

Q: How do I know where my data is stored?

If you are an employee of a public body in BC, your employer should be in compliance with FOIPPA. A public body is required to store data on a server in Canada, subject to three main exceptions.
 
Client Consent: The client has given consent for the public body to store and access the personal information on a server outside of Canada.
 
The client’s consent must:
 
  • Specify the purpose of storing or accessing the personal information
  • Be in writing
  • Specify the personal information for which the client is providing consent
  • Specify the date on which the consent is effective
  • What date the client’s consent expires (if applicable)
  • Specify who may store or access the personal information from outside of Canada
  • Specify which jurisdiction the personal information may be stored in or accessed from (if practicable) 
Authorized by a Written Agreement: Personal information may lawfully be stored in another jurisdiction in circumstances where, for instance, a written agreement authorizes the disclosure of the personal information in another jurisdiction.
 
For Purposes of Payment: The personal information may be stored or accessed on a server outside of Canada for the purposes of a payment to be made to or by the government of British Columbia or a public body.
 
If you are working in the private sector, FOIPPA does not apply unless you are obtaining data from the provincial government. Instead, your company is expected to comply with PIPA, which does not prohibit the storage of data on global servers and cloud-based applications. Because of Global Server Load Balancing, it is unlikely that you will be able to determine where your data is stored.

Q: Should I use Canadian cloud storage?

If you work for a public employer, find out where your employer wants you to store data. 

If you work alone in private practice and your contracts require you to keep data in Canada, you could just store your data on your local computer and on a local backup drive. 
 
If you work with a treatment team and you want to keep your data in Canada, yes, Canadian cloud storage would be a good idea. There are many options.




Therapists need Consent

Therapists need Consent

Therapists need consent before providing services.

Q: What does informed consent entail?

Informed consent entails informing the client about what will be collected and details about the type and number of services that will be provided. For SLP’s, it is a good idea to use the words assessment and therapy since this is how funders define SLP services.

Q: Should my clients give consent for telepractice service delivery?

Yes, your clients need to know what to expect. Your referral process, your consent forms and your contracts should provide all the necessary details in writing.

Q: What does consent for the release of information entail?

This consent is for collecting information and for disseminating information. The client should indicate which people or agencies are permitted to receive information from you. This applies to verbal, written and electronic communication. 
 
Likewise, if you want to obtain information about a client from another professional or agency you need to provide a Consent for Release of Information form when you request the information. Even if the client wants a copy of their own data, they must request it formally and provide signed consent.

Q: When is a consent for services needed by clients accessing services from a public organization?

Consent for basic services offered by a public organization is assumed. For example, if a member of the public arrives at a hospital or if a child is enrolled in a school, it is assumed that the person wants the basic services offered by that organization. It should be noted, however, that non-residents may not be eligible for publicly funded services. They may need to pay privately in order to access those services.
 
Because the data collected belongs to the organization, the employees within that organization can collaborate and make decisions. For example, hearing screening is conducted in newborn nurseries and follow up is determined. Reading readiness screening takes place in schools and students are given learning assistance. Often screening programs have internal follow-up but no reports. The client or family may not even be aware that an assessment has taken place and treatment decisions have been made.
 
Essentially, the process of narrowing enquiries down to qualified prospects occurs seamlessly inside many public organizations. They might not call it by this name.
 
It is important for public organizations to define the services that go beyond basic services. Simply put, these are services that members of the public are not expecting. These are services that are only offered to people who need them, qualify for them and give consent for them. The client or family members should be made aware of the risks and benefits, and they should be involved in the decision. This is referred to as informed consent for services.
 
A hospital might require consent to do surgery. A school might require consent to do a psycho-educational assessment. 
 
Does this mean that public agencies should ask for consent to offer telepractice services? Yes, if the client is expecting face to face services and the service provider is recommending telepractice services, this change requires consent. In addition, the client should be informed of the benefits, the risks and the safeguards in place to protect the confidentiality of the data.

Q: Can a teacher ask me questions about a student who is not on my caseload? Can I provide advice about a client if I have not asked for consent?

Professional communication within a workplace is normal; however, you are not permitted to reveal personal information about a client to anyone outside of your public organization or private business without consent. Be very careful about all your interactions. Privacy laws apply no matter what form of communication you use.
 
I was a service provider for a number of distance learning schools. The schools had contracts with my company. I was not their employee. Some of my students had large treatment teams which included teachers, assistants and other private service providers.
 
All phone calls that came to my office automatically went to voicemail. I asked team members to use my online scheduler to book phone calls. This helped me avoid phone tag and gave me a chance to ask the family for consent before I spoke to the person.



What is Telepractice?

What is Telepractice?

Telepractice is an Emerging Solution

During 2020 - 2021, the pandemic forced therapists to transition to telepractice service delivery. It didn't take long for the global community to realize that telepractice was an emerging solution for people who are looking for services and for professionals wanting to build a viable practice.

Three Types of Telepractice

The American Speech Language Hearing Association (ASHA) is recommending the term telepractice over other terms such as telehealth, telemedicine, telespeech, and speech teletherapy to avoid the misperception that these services are used only in health care settings.
 
Common terms describing types of telepractice are as follows:
 
Synchronous (client interactive): Services are conducted with an interactive audio and video connection in real time to create an in-person experience similar to that achieved in a traditional encounter. Synchronous services may connect a client or group of clients with a clinician, or they may include consultation between a clinician and a specialist.
 
Asynchronous (store-and-forward): Images or data are captured and transmitted (i.e., stored and forwarded) for viewing or interpretation by a professional. Examples include transmission of voice clips, audiologic testing results, or outcomes of independent client practice.
 
Hybrid: Applications of telepractice that include combinations of synchronous, asynchronous, and/or in-person services.

Common Fears for Online Therapists

The barriers to telepractice in Canada were reduced during the pandemic because of the urgency of taking care of caseloads. Funders were forced to accept telepractice as a service delivery method. Clients downloaded apps and showed up for sessions. 

All therapists had to take risks and learn new skills. Private practice therapists were faced with becoming online entrepreneurs. Here are some common fears expressed by therapists.

  • First of all, how do you stay legal? What are your obligations regarding compliance with privacy protection laws and professional conduct?  Currently, Canada has vastly different privacy protection laws from province to province. Within provinces, there are variations depending on the place of employment and even the source of the caseload data. 
  • Secondly, how do you convey competence when the technology keeps changing and the learning curve is so steep? 
  • Thirdly, how do you compete online to attract your ideal caseload?
  • Fourthly, how do you keep your clients committed, paying you well and staying long enough to get clinical outcomes?

Telepractice Service Delivery Solves Problems

In Canada, we have a long history of inequitable access to therapy services for rehab and intervention. During the pandemic, we saw that telepractice service delivery solved some of our intractable problems.
 

Risk of Spreading Disease 

Speech language therapy became a dangerous profession during the pandemic. SLPs could no longer sit close to clients and use the mouth to teach concepts. Some SLPs tried to work behind plexiglass. The acceptance of webcam sessions was rapid because it eliminated the spread of the virus.
 

Vacancies

Therapy positions in rural communities sometimes stay vacant for a long time while employers try to recruit someone. Experienced therapists tend to be well-established in their careers. They are not interested in moving or even taking short term assignments away from home. Long waiting lists create desperation for people living in those rural communities. They waste their precious funding on fads, unproven therapies and unqualified service providers. 
 
In contrast, telepractice services can be used to address vacancies. Employers can either develop their own telepractice outreach programs or hire private contractors to provide online services.
 

Demands on Therapists 

Even people living in urban centers struggle with finding a therapist who is available at the right time. Many families want a therapist who will come to their home evenings or weekends. Children are in daycare or school all week. Adults can't take time off work. 
 
Private practice therapists can't sustain a caseload that involves giving up evenings and weekends and travelling to homes without being reimbursed. 
 
In contrast, telepractice services allow private practice therapists to build a business that is efficient and profitable. It gives them work-life balance.

Telepractice Service Delivery Offers Benefits

Telepractice gives people access to expert help, so they can make progress on their rehab and intervention. There are benefits for the public, for individual therapists and for the professions.
 
  • The time and expense of travel for clients and therapists is eliminated. Therapists can extend the reach of their practice.
  • Telepractice can increase the frequency of contact.
  • It is a future-proof way to provide assessment and intervention. The reliance on pen and paper and physical therapy materials is greatly reduced.
  • Monitoring can be done asynchronously by viewing data on a server
  • Telepractice can turn therapists into leaders in their professional field because therapists can develop a clinical niche. 
  • Clients with rare and difficult diagnoses can get access to highly effective treatments.
  • It can provide new grads with mentoring from confident leaders.
  • A more affordable tiered service model is possible because a highly specialized expert can create goals and direct a local team in following a robust therapy protocol. 
  • Software can be used as curriculum, greatly reducing the need to train paraprofessionals to fidelity.
  • The risk of spreading diseases is eliminated.
  • Telepractice increases the efficiency and profitability of a therapy practice.



 
Read Newer Updates