Privacy protection laws apply when a therapist is sending out marketing messages.
Q: If I collect leads using an online form on a website, where does that data go?
As a service provider, you will collect leads from the public. If you use an online form, the data entered on such forms goes to the server that is hosting your website, or to the server hosting your form builder app. It is possible to store this data on a server in Canada if you choose your software and apps carefully.
If you use Google apps or surveys, for instance, all the information your leads have entered on your forms will be processed by US based servers.
Q: How do I protect the data I am collecting on my website?
People will be reluctant to use your online form if your site is not secure. This is revealed to the public in the URL by a lock icon and then https://. If your website doesn’t have this yet, contact your hosting company to upgrade to a higher level of security.
HTTPS provides what is called "encryption in transit". This means that the data and communications between a browser and website server are in an encrypted format, so if these packets of data are intercepted, they cannot be read or tampered with.
Q: Can I send out bulk email campaigns or newsletters?
It is not legal to send advertising messages to people who don’t want to hear from you. The very first step is to build a robust list of names and email addresses. These leads should be people who have filled in an online form or interacted with you or your business.
Email programs like Gmail or Outlook work best if the person you are emailing already has your email address in their list of contacts. Your message will reach the person’s inbox.
If you try to use your regular email program to reach a group of people, you will be limited to a small number of recipients. If you try to send to more people, you may get blocked from sending emails. These email programs are not designed for sending bulk campaigns to a large group of people.
You should use a bulk email program to send news and offers to the public. You can also create drip campaigns and automatic responses using this type of email software. Properly formatted email campaigns have an unsubscribe link. You should also provide a link with some identifying information about your business. If these two links are missing from your email campaigns, your messages with be identified as SPAM.
I recommend the AttractWell platform for therapists who want their website, marketing and online curriculum to be integrated. You don't need to waste time entering names and email addresses. That information is automatically stored in the contact list in your dashboard. You can send out single messages, bulk campaigns and customized campaign sequences using domain name email.
Privacy protection applies to all the interactions that therapists have with the public during the marketing phase.
Q: What is the difference between personal information and protected health information?
Personal Information (PI): Any recorded information, other than contact information, that uniquely identifies you is considered personal information. This includes your name, age, sex, race, religion, sexual orientation, disability, fingerprints or blood type. It also includes information about your health care, educational, financial, criminal or employment history. It also includes anyone else's opinions about you and your own views or opinions.
Protected Health Information or Personal Health Information (PHI): PHI generally includes demographic information, medical histories, test and laboratory results, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care.
Q: Is there a Canadian law that is like HIPAA in the US?
Personal Information Protection and Electronic Documents Act (PIPEPA): In Canada, the federal law which gives people a right to access their personal information is PIPEDA. It requires organizations to obtain individuals’ consent to the collection, use or disclosure of their personal information. This law is more similar to the European GDPR law than it is to HIPAA because it applies to all personal information, not just health information.
As an online service provider in Canada, you are required to comply with PIPEDA. When you obtain personal information about a potential client, you are expected to protect that information with three types of safeguards:
- Administrative safeguards identify all written, spoken or electronic PI and prevent that information from being shared with people who should not have access to it. For example, a consent form for the release of information is an administrative safeguard.
- Physical safeguards like locked doors and employee badges prevent unauthorized people from being able to access workstations and electronic media.
- Technical safeguards, like user IDs, passwords and data encryption, keep the data hidden until an authorized recipient opens it.
In Canada, we have provincial privacy laws that are more stringent than our federal laws. Note that there is no federal law requiring Canadian service providers to keep their data on servers in Canada.
Q: How is HIPAA similar to PIPEDA?
Health Insurance Portability and Accountability Act (HIPAA): This US law applies specifically to health information. The purpose of HIPAA is to improve efficiency in the healthcare industry, to improve the portability of health insurance, to protect the privacy of patients and health plan members, and to ensure health information is kept secure, and patients are notified of breaches of their health data. Code sets are used along with patient identifiers, which helps with the efficient transfer of healthcare data between healthcare organizations and insurers, streamlining eligibility checks, billing, payments, and other healthcare operations.
HIPAA and PIPEDA have similar requirements for privacy protection, specifically the need for administrative safeguards, physical safeguards and technical safeguards.
