Business Basics

Warnings for Canadian Therapists

Warnings for Canadian Therapists

Warnings about the risks of data storage for Canadian therapists can be confusing.

Q: Why have I seen advertisements that tell Canadian therapists to use keep their data in Canada?

There is no federal law requiring therapists to keep their data in Canada. There are a few provinces that require public agencies to keep their data in Canada. (i.e. Alberta, Quebec, British Columbia and Nova Scotia). This doesn't apply to the data you collect in your private practice. Your business is not a public agency.
 
Personal Health Information Protection Act (PHIPA): In Ontario, all healthcare providers must comply with their provincial Personal Health Information Protection Act. It makes no difference if they are with a public body or a private company. Ontario has many clinicians in private practice, so the advertisements you find online are largely aimed at the Ontario market. 
 
Ontario’s PHIPA states that a company in Canada that outsources information processing to the United States, where it will be subject to US laws, should notify its customers that the information may be made available to the US government or its agencies. The information should only be used for the original purpose of collection. It should be stored with the same level of password protection and encryption as would be the case in Canada. 
 
While information can cross borders, the Canadian business remains liable for any problems if there is a security breach. This risk places a hardship on Ontario’s healthcare providers, making them understandably cautious.

Q: What is a HIPAA Business Associate Agreement?

HIPAA addresses the problems of a fractured healthcare system in the US, where personal health information (PHI) is constantly being passed between healthcare providers, health insurers and health exchange organizations.
 
HIPAA Business Associate Agreement (BAA): The purpose of the BAA in HIPAA is to ensure that there is an unbroken chain of responsibility for any personal health information (PHI) that may be touched” by a vendor and/or service provider. In other words, the law forces the big players to meet a common standard. The agreement is a method of sharing the risk and is, essentially, a promise to be accountable should a breach take place.
 
Not all providers for video conferencing software are willing to share the risk. For example, Apple and Skype have deliberately chosen not to take on these risks.

Q: Do I need the expensive healthcare version of Zoom?

It depends.
 
Zoom has three features which use cloud storage:
  • Storing recordings in the cloud
  • Creating user accounts for clients, which requires their name and email
  • Texting with clients in the Zoom chat window
As a clinician in Canada, it is your responsibility to understand your obligations and goals. Are you required to keep your data in Canada?   Are you running a sole practice? Are you responsible for a large workforce?
 
If you are required to keep your data in Canada, the free version of Zoom might still be the best option for you. Simply avoid using the chat feature in ZOOM and download your recordings to your computer instead of storing them in the cloud. Use a password and the waiting room feature. This prevents people from entering your session without permission. Your clients won’t need to create accounts. None of their data will be stored in the cloud. Once you have this set up, it works every time.
 
If you are with an agency or clinic, there is more risk. Your workforce might not be diligent about doing the manual steps that I just mentioned. In that case, you might want a paid account with Zoom, with a signed Business Associate Agreement. Cloud recording will be disabled and encrypted chat will be enabled. User accounts can be deleted. Notice that encrypted chat would still store messages in the cloud so you should avoid the chat feature.

Free 30-Minute Workshop for Private Practice Therapists!

  • Discover the three biggest website mistakes made by private practice therapists
  • Walk away with an understanding of the changes you need to make to your website
  • Feel confident about being an entrepreneur, finally having a vision for a strategic website that will help you build your therapy practice
"After this workshop, I finally started thinking about the FUNCTION of my website, not just the look."

More of...

  • Referrals
  • Confidence
  • Ease & Balance

Less of...

  • Inefficiency
  • Frustration
  • Low Income


Treatment Teams

Treatment Teams

Maintaining clients over time often involves communication within treatment teams.

Q: Is consent assumed in workplace communication, allowing colleagues to discuss a case?

The key concept to remember is that the data belongs to the organization that has collected it. The organization is responsible for maintaining the confidentiality of the information.
 
Specific levels of consent are assumed in workplace discussions between colleagues. This is tied to the role and responsibilities of the employee. People working within an organization have access to the internal data that is appropriate for their security clearance level. They are allowed to have case discussions with others that have similar roles and responsibilities.
 
Organizations are required to have safeguards in place so that people who don't have security clearance cannot access the information. Leaving a confidential file on top of a desk overnight would be inappropriate because the cleaning staff would be able to read that file. Similarly, having a case discussion in a public cafeteria or elevator would be inappropriate. Security badges, locked doors and passwords are all examples of safeguards that protect the privacy of clients.

If you don't have my free e-book yet, click on the image for more information.


Q: Should supervisors or students be able to observe telepractice sessions in a clandestine way, without their participation being obvious to the client or clinician?

Sometimes a clandestine observation is better than an interruption which derails the session. Your policy regarding observations should be explained at the beginning. It should be part of the informed consent. ZOOM Cloud Meetings offers this for agency accounts, but not individual accounts.

Q: Can my coworkers see my clinical notes?

Yes, many workplaces use some type of central, secure storage for data so that the data survives long after you are gone. If you retire or move to another job, the information about your past clients will stay with the organization.

Q: My workplace has a VPN which I use when I work from home. What is that?

Here are some definitions that you should know:
 
Intranet: An intranet is a private LAN accessible only to an organization’s staff. Intranets can act as communication hubs for organizations. If you are an approved employee, you can store information such as clinical records, staff news and announcements centrally and your co-workers will be able to access the information at any time.
 
Intranet versus Internet: There is one major distinction between an intranet and the Internet: The Internet is an open, public space, while an intranet is designed to be a private space.
 
Remote Access Server (RAS): A remote access server is a type of server that provides a suite of services to remotely connected users over a network or the Internet. It operates as a central server that connects remote users with an organization's internal local area network (LAN). Thus, an approved employee would be able to log into the private space without being in the building. It allows employees to work remotely.
 
Virtual Private Network (VPN): A VPN allows you to create a secure connection to another network over the Internet. If you are working for an agency from a remote location, your agency will want to prevent unauthorized people from being able to access the private space. A VPN encrypts everything from end to end and makes it appear as though you are in the same location as the server that you are logging into.

Free 30-Minute Workshop for Private Practice Therapists!

  • Discover the three biggest website mistakes made by private practice therapists
  • Walk away with an understanding of the changes you need to make to your website
  • Feel confident about being an entrepreneur, finally having a vision for a strategic website that will help you build your therapy practice
"After this workshop, I finally started thinking about the FUNCTION of my website, not just the look."

More of...

  • Referrals
  • Confidence
  • Ease & Balance

Less of...

  • Inefficiency
  • Frustration
  • Low Income


5 Guiding Principles

5 Guiding Principles

Here are the five guiding principles for Canadian therapists.

1st Principle: The Personal Information Protection and Electronic Documents Act (PIPEPA) applies to all of Canada

As a service provider in Canada, you are required to comply with PIPEDA, which is a federal law that has some similarities to HIPAA in the US. Whenever you obtain personal information about a potential client, you are expected to protect that information with three types of safeguards:
 
  • Administrative safeguards identify all written, spoken or electronic personal information and prevent that information from being shared with people who should not have access to it. For example, a consent form for the release of information is an administrative safeguard. 
  • Physical safeguards like locked doors and employee badges prevent unauthorized people from being able to access workstations and electronic media.
  • Technical safeguards, like user IDs, passwords and data encryption, keep the data hidden until an authorized recipient opens it.
 There is no federal law which states that personal information or personal health information must stay on a server in Canada. 

If you don't have my free e-book yet, click on the image for more information.


2nd Principle: In most provinces, the privacy protection laws for data collected by the private sector have been deemed as substantially similar to PIPEDA, the federal law.

If you are a therapist working in private practice, you are working in the private sector, not the public sector. Use the link below to get the details for each region of Canada. You will see that in most parts of Canada, the privacy protection laws for the private sector mirror PIPEDA. There is no provincial or regional law which states that the data you collect in your business must stay on a server in Canada. Businesses are permitted to use programs that run on global servers, such as email, online programs and cloud storage.
 
In the province of British Columbia, the privacy protection law for the private sector is the Personal Information Privacy Act (PIPA). If your business collects personal information from clients and simply bills a government funding source, PIPA applies. For example, if you are a therapist in BC, your data from clients funded by the Autism Funding Program or At Home Medical Benefits can reside on global servers.

3rd Principle: In a few provinces, the privacy protection laws for data collected by the public sector state that the data must stay in Canada.

All Canadian provinces and territories have enacted legislation that regulates the collection, use and disclosure of personal information in the public sector. Specifically, this is any data that the local government has collected through public schools, health authorities, public service agencies, the courts and so on. 
 
Let’s use British Columbia as our example again. BC protects public data with FOIPPA (Freedom of Information and Protection of Privacy Act). Public bodies are required to comply with this law, which states that data collected by a public body must stay in Canada. This has far-reaching implications for the use of email, online programs and cloud storage. Note that this is not a federal law; it is specific to BC. 
 
Nova Scotia, Quebec and Alberta have similar laws. These were enacted in response to the Patriot Act in the US. The following article provides a summary of how and why these provincial laws exist.
 

4th Principle: The Personal Health Information Protection Act (PHIPA) only applies to healthcare professionals in Ontario

If you do online research regarding practice management software for therapists in Canada, you will find marketing messages aimed at Ontarios healthcare providers. Ontario has a unique privacy protection law which differs substantially from the rest of Canada. All healthcare data is protected by the Personal Health Information Protection Act (PHIPA), regardless of whether it was collected by a clinician in the public sector or the private sector. 
 
PHIPA states that patients must know where their healthcare data is being stored and must be informed if a breach occurs. This law does not state that healthcare data must reside on servers in Canada. There is a strong inclination to do so however, because Canadian healthcare providers are held responsible for full disclosure to the public when there is a problem.
 

5th Principle: Provincial and regional governments remain responsible for the data they own and subsequently share with therapists.

Pay close attention! If you are a private practice therapist in Canada, you must understand and comply with this principle. In British Columbia, Nova Scotia, Quebec and Alberta, it is important to distinguish between data collected by your business versus data collected by your provincial or regional government and then shared with your business.
 
If you are a contractor for a public body, there may be a privacy protection schedule attached to your contract. For example, a private practice therapist in BC might be surprised to learn about the obligation to comply with BC’s Freedom of Information and Protection of Privacy Act (FOIPPA) in order to work with clients from government programs such as WorkSafe BC or the Community Brain Injury Program.
 
This is because the public body remains responsible for the personal information that it owns and subsequently shares with you. There might be a government case manager involved, or case files that are passed to the therapist. Note that the government does not own basic contact information, like a person’s name, email and address.

Become a Confident Telepractice Professional

I hope my advice has helped you become more confident.
 
Stay in compliance with the privacy protection laws that apply to your work situation. If you have more than one workplace, do your best to understand the different regulations that apply. Stay informed so that you can avoid anxiety, conflicts and unnecessary expenses.

Free 30-Minute Workshop for Private Practice Therapists!

  • Discover the three biggest website mistakes made by private practice therapists
  • Walk away with an understanding of the changes you need to make to your website
  • Feel confident about being an entrepreneur, finally having a vision for a strategic website that will help you build your therapy practice
"After this workshop, I finally started thinking about the FUNCTION of my website, not just the look."

More of...

  • Referrals
  • Confidence
  • Ease & Balance

Less of...

  • Inefficiency
  • Frustration
  • Low Income


Free Workshop

The 3 Biggest Website Mistakes made by
 Private Practice Therapists


Free Mini-Course

Discover the 3-Part Formula that Attracts Niche Clients and Boosts SEO Instantly! 


Free Ebook

Discover How to Comply with Canadian Privacy Protection Laws in your Therapy Practice


Blog Categories

Business BasicsMarketing MindsetPaperless OfficeTherapy Career

Anna Krueger, MSc

From Clinician to Strategy Consultant

If you are a private practice therapist, Therapy Biztech has step-by-step courses and tools customized for you. I spent more than 35 years as a private practice therapist in Canada. I gradually moved my caseload online and narrowed my business model to asynchronous therapy - online curriculum paired with consultation.  
  • Asynchronous therapy gave me the freedom and flexibility that I had always wanted. My income was no longer based on selling my time by the hour. My consultations session were for problem-solving and encouragement, not for delivering the curriculum.
  • My clients worked on their goals consistently. The curriculum was available to them 24/7 behind a login. Their time and effort produced meaningful clinical outcomes, without the high cost of traditional therapy.
  • Asynchronous therapy gave me a higher level of fulfillment as a therapist because I could attract a niche caseload, build confidence in using my methods with a large caseload that had similar needs, and gradually acquire expertise.
I closed my clinical practice and founded Therapy Biztech because I want to empower other therapists to offer asynchronous therapy. Learn how to streamline your website, marketing and curriculum so you can sell your expertise instead of your time.

Photo of Anna Krueger

Let's Connect

Send Message