Warnings about the risks of data storage for Canadian therapists can be confusing.
Q: Why have I seen advertisements that tell Canadian therapists to use keep their data in Canada?
There is no federal law requiring therapists to keep their data in Canada. There are a few provinces that require public agencies to keep their data in Canada. (i.e. Alberta, Quebec, British Columbia and Nova Scotia). This doesn't apply to the data you collect in your private practice. Your business is not a public agency.
Personal Health Information Protection Act (PHIPA): In Ontario, all healthcare providers must comply with their provincial Personal Health Information Protection Act. It makes no difference if they are with a public body or a private company. Ontario has many clinicians in private practice, so the advertisements you find online are largely aimed at the Ontario market.
Ontario’s PHIPA states that a company in Canada that outsources information processing to the United States, where it will be subject to US laws, should notify its customers that the information may be made available to the US government or its agencies. The information should only be used for the original purpose of collection. It should be stored with the same level of password protection and encryption as would be the case in Canada.
While information can cross borders, the Canadian business remains liable for any problems if there is a security breach. This risk places a hardship on Ontario’s healthcare providers, making them understandably cautious.
Q: What is a HIPAA Business Associate Agreement?
HIPAA addresses the problems of a fractured healthcare system in the US, where personal health information (PHI) is constantly being passed between healthcare providers, health insurers and health exchange organizations.
HIPAA Business Associate Agreement (BAA): The purpose of the BAA in HIPAA is to ensure that there is an unbroken chain of responsibility for any personal health information (PHI) that may be “touched” by a vendor and/or service provider. In other words, the law forces the big players to meet a common standard. The agreement is a method of sharing the risk and is, essentially, a promise to be accountable should a breach take place.
Not all providers for video conferencing software are willing to share the risk. For example, Apple and Skype have deliberately chosen not to take on these risks.
Q: Do I need the expensive healthcare version of Zoom?
It depends.
Zoom has three features which use cloud storage:
- Storing recordings in the cloud
- Creating user accounts for clients, which requires their name and email
- Texting with clients in the Zoom chat window
As a clinician in Canada, it is your responsibility to understand your obligations and goals. Are you required to keep your data in Canada? Are you running a sole practice? Are you responsible for a large workforce?
If you are required to keep your data in Canada, the free version of Zoom might still be the best option for you. Simply avoid using the chat feature in ZOOM and download your recordings to your computer instead of storing them in the cloud. Use a password and the waiting room feature. This prevents people from entering your session without permission. Your clients won’t need to create accounts. None of their data will be stored in the cloud. Once you have this set up, it works every time.
If you are with an agency or clinic, there is more risk. Your workforce might not be diligent about doing the manual steps that I just mentioned. In that case, you might want a paid account with Zoom, with a signed Business Associate Agreement. Cloud recording will be disabled and encrypted chat will be enabled. User accounts can be deleted. Notice that encrypted chat would still store messages in the cloud so you should avoid the chat feature.
Maintaining clients over time often involves communication within treatment teams.
Q: Is consent assumed in workplace communication, allowing colleagues to discuss a case?
The key concept to remember is that the data belongs to the organization that has collected it. The organization is responsible for maintaining the confidentiality of the information.
Specific levels of consent are assumed in workplace discussions between colleagues. This is tied to the role and responsibilities of the employee. People working within an organization have access to the internal data that is appropriate for their security clearance level. They are allowed to have case discussions with others that have similar roles and responsibilities.
Organizations are required to have safeguards in place so that people who don't have security clearance cannot access the information. Leaving a confidential file on top of a desk overnight would be inappropriate because the cleaning staff would be able to read that file. Similarly, having a case discussion in a public cafeteria or elevator would be inappropriate. Security badges, locked doors and passwords are all examples of safeguards that protect the privacy of clients.
Q: Should supervisors or students be able to observe telepractice sessions in a clandestine way, without their participation being obvious to the client or clinician?
Sometimes a clandestine observation is better than an interruption which derails the session. Your policy regarding observations should be explained at the beginning. It should be part of the informed consent. ZOOM Cloud Meetings offers this for agency accounts, but not individual accounts.
Q: Can my coworkers see my clinical notes?
Yes, many workplaces use some type of central, secure storage for data so that the data survives long after you are gone. If you retire or move to another job, the information about your past clients will stay with the organization.
Q: My workplace has a VPN which I use when I work from home. What is that?
Here are some definitions that you should know:
Intranet: An intranet is a private LAN accessible only to an organization’s staff. Intranets can act as communication hubs for organizations. If you are an approved employee, you can store information such as clinical records, staff news and announcements centrally and your co-workers will be able to access the information at any time.
Intranet versus Internet: There is one major distinction between an intranet and the Internet: The Internet is an open, public space, while an intranet is designed to be a private space.
Remote Access Server (RAS): A remote access server is a type of server that provides a suite of services to remotely connected users over a network or the Internet. It operates as a central server that connects remote users with an organization's internal local area network (LAN). Thus, an approved employee would be able to log into the private space without being in the building. It allows employees to work remotely.
Virtual Private Network (VPN): A VPN allows you to create a secure connection to another network over the Internet. If you are working for an agency from a remote location, your agency will want to prevent unauthorized people from being able to access the private space. A VPN encrypts everything from end to end and makes it appear as though you are in the same location as the server that you are logging into.
