Check out guides and resources to help you better use virtual care and technology to support patients.
Health information is among the most sensitive forms of personal information – and protecting it is foundational to the doctor-patient relationship.
The increasing convenience for physicians to use technologies such as smart phones and tablets, emails and websites, and video conferencing to consult with colleagues, patients, and other health care providers has meant a change in the way that personal health information is collected, used and disclosed.
However, this greater reliance on technology to communicate patient care with others brings with it increased security risks and greater challenges for physicians to maintain confidentiality of their patients’ personal health information. Lost or stolen laptops, intercepted electronic communications, and unencrypted memory sticks are just a few of the many ways privacy breaches can occur.
To assist physicians in meeting their obligations under the Personal Information Protection Act (PIPA), Doctors of BC, the Office of the Information and Privacy Commissioner for BC, and the College of Physicians and Surgeons of BC have partnered to update the BC Physician Privacy Toolkit: A guide for physicians in private practice, originally published in 2004 and subsequently updated in 2009 and now in 2017.
Along with the updated BC Physician Privacy Toolkit, this site includes comprehensive resources physicians can rely on to make complying with PIPA easy and straightforward.
Here's a PIPA FACT SHEET for quick reference
Within each section you will find:
What legislation applies?
Personal Information Protection Act (PIPA)
LEARN MORE
VIEW VIDEO 3:32
What are your responsibilities?
Comply with all 10 Principles of PIPA
LEARN MORE
Principle 1 Be Accountable
LEARN MORE
CHECKLIST
VIEW VIDEO 3:20
Principle 2 Identify Purpose
LEARN MORE
CHECKLIST
VIEW VIDEO 2:49
Principle 3 Obtain Consent
LEARN MORE
CHECKLIST
VIEW VIDEO 3:13
Principle 4 Limit Collection
LEARN MORE
CHECKLIST
VIEW VIDEO 2:10
Principle 5a Limit Use
LEARN MORE (Note: The same LEARN MORE file applies to 5a, 5b and 5c)
CHECKLIST
VIEW VIDEO 1:34
Principle 5b Limit Disclosure
LEARN MORE (Note: The same LEARN MORE file applies to 5a, 5b and 5c)
CHECKLIST
VIEW VIDEO 2:33
Principle 5c Limit Retention
* Computers, photocopiers, cellular phones, etc.
LEARN MORE (Note: The same LEARN MORE file applies to 5a, 5b and 5c)
CHECKLIST
VIEW VIDEO 3:00
Principle 6 Maintain Accuracy
LEARN MORE
CHECKLIST
VIEW VIDEO 3:27
Principle 7 Employ Safeguards
*Include administrative, physical, and technological safeguards
LEARN MORE
CHECKLIST
VIEW VIDEO 4:36
Principle 8 Be Open and Transparent
* On websites, in brochures, etc.
LEARN MORE
CHECKLIST
VIEW VIDEO 2:29
Principle 9 Provide Access
LEARN MORE
CHECKLIST
VIEW VIDEO 2:46
Principle 10 Permit Recourse
LEARN MORE
CHECKLIST
VIEW VIDEO 2:43
VIEW VIDEO 4:01
For more information, see Principle 3 Obtain Consent on the Basics tab
For more information, see the Forms tab for:
VIEW VIDEO 3:39
VIEW VIDEO 4:19
For more information, see Principle 10 Permit Recourse on the Basics tab
For more information, see Principle 9 Provide Access on the Basics tab
For more information, see Consent for Research on the Forms tab
VIEW VIDEO 3:04
VIEW EMAIL VIDEO 4:22
VIEW FAX VIDEO 3:55
VIEW VIDEO 2:33
To find a question you need an answer to, press Crtl-F on your keyboard and enter a keyword. For example, if you are looking for information about how to respond to a privacy breach, enter the word breach and press the enter key.
How can a patient request access to their personal information?
The patient can complete and send you the Patient Request for Access to Personal Information form.
How can a personal representative of a deceased patient request access to their loved one’s medical records?
Under Section 3 of the PIPA Regulations, the “personal representative of the individual at the time of the individual’s death or, if there is no personal representative, the nearest relative” may exercise access rights of the deceased individual and give or refuse consent to the collection ,use and disclosure of personal information of the deceased.
The personal representative can complete and send you the Patient Request for Access to Personal Information form. A physician is obligated to provide a copy of records when provided with a written, dated authorization form.
How much can I charge for providing access to a patient’s medical records?
PIPA permits a physician to charge a “minimal fee” for access to a patient’s medical records. Providing copies of relevant information contained in a medical record and/or forwarding a file to another physician should be done promptly and never be delayed pending payment of the “minimal fee”. Physicians should be mindful of the patient’s economic circumstances when charging this fee.
The Office of the Information and Privacy Commissioner for BC interprets “minimal fee” to be a “nominal fee”.
For more information from the College of Physicians and Surgeons of BC, see Medical Records.
What is required to provide patient information to law enforcement agencies?
While it is not mandatory, PIPA permits the disclosure of personal information to a law enforcement agency to assist in an investigation (or the decision to undertake an investigation) to determine whether the offence has taken place or to prepare for the laying of a charge or prosecution of the offense in Section 18 (j).
For more information from the College of Physicians and Surgeons of BC, see Disclosure of Patient Information.
What should I do if I accidentally mail something to the wrong address?
When the mistaken recipient contacts you, ask them if they opened the envelope. If they did not open it, ask them to mark it as “Return to Sender” and put it in the mail. Once it is received:
If they did open it, ask them to shred the contents and confirm when that has been done. Once they have confirmed destruction:
When the mistaken recipient contacts you, ask them to immediately shred the faxed documents.
Once they have confirmed destruction:
Check to ensure you have a fax disclaimer set up so that all outgoing faxes include the disclaimer. See Fax Disclaimer Template .
What should I do if I accidentally send an email to the wrong person?
Send an email to the mistaken recipient asking them to:
Send the email to the correct recipient and with an apology that includes the following:
Check to ensure you have an email disclaimer set up so that all outgoing email includes the disclaimer. See Email Disclaimer Template .
How can a patient request a correction to their personal information?
The patient can complete and send you the Patient Request to Correct Personal Information form.
What internal controls can be put in place to ensure accuracy?
There are several internal controls in place such as:
A privacy breach occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information. The most common privacy breach happens when personal information of members, non-members or employees is stolen, lost or accidentally disclosed. There are two different kinds of breaches:
If you know or suspect a breach has occurred, immediately notify your Privacy Officer. Depending on the scope of the breach, they may contact the Office of the Information and Privacy Commissioner for BC. The contact information can be found at
https://www.oipc.bc.ca/about/contact-us/.
For more information from the Office of the Information and Privacy Commissioner for BC, see Privacy Breaches: Tools and Resources.
What are the safest ways to collect personal information?
Patient information should be collected on a standard form.
If collecting information verbally, ensure you are in a private place where no one else can hear.
Whenever possible, you should employ the following methods of receiving information:
Less secure methods include:
Please refer to the Canadian Medical Protective Association (CMPA) for Consent to Use Electronic Communications.
Is consent required if photos are taken and will be used in a presentation?
If it is in a business setting and the only people being photographed are involved in the project then consent is not required. If there are any other people whose photos may be included (such as patient) then consent in writing is required.
Can I disclose medical records to anyone outside my practice?
Please refer to the College of Physicians and Surgeons of BC Medical Records guidelines.
How should records in paper format be disposed of?
Paper records can be disposed of by:
When destroying information, a Certificate of Destruction should be completed.
How should data on portable media (CD/DVD/USB) be disposed of?
Data on portable media can be disposed of by:
When destroying information, a Certificate of Destruction should be completed.
How should data on computers and servers (desktop, personal computer, laptop or file server) be disposed of?
Data on computers and servers can be disposed of by:
When destroying information, a Certificate of Destruction should be completed.
How should data on backup systems and media be disposed of?
Data on backup systems and media can be disposed of by:
When destroying information, a Certificate of Destruction should be completed.
What if a patient asks us to send them an email to an email address we do not have on record?
If they are asking by email:
If they are asking by phone:
If they are asking in person:
Physicians are discouraged from using shared fax equipment as control over access to patient data cannot be ensured. For more information, see Guidelines for Use of Email or Fax .
Is it safe to leave paper files unattended in the office?
This should never be done as they could at risk of unauthorized access or theft.
Is it safe to save files on the C:\ drive on your desktop?
This should never be done as the files will not be backed up and there is potential that they could at risk of unauthorized access or computer theft after-hours.
Is there a standard set of questions to ask when verifying someone's identity over the phone?
You can ask for 2-3 pieces of information that only the person would know. Do not provide the information and ask for confirmation. Instead, ask questions like:
Keep in mind that someone impersonating a patient may already know much of this information.
When is it appropriate to provide your Social Insurance Number (SIN)?
Your SIN is the authorized number for income tax purposes under section 237 of the Income Tax Act and is used under certain federal programs. You have to give it to anyone who prepares an information slip (such as a T3, T4, or T5 slip) for you. Each time you do not give your SIN when you are supposed to, you may have to pay a penalty. You also have to give it to the Canada Revenue Agency (CRA) when you ask for personal tax information. If your SIN is missing or incorrect on your slips, advise your slip preparer (employer, issuer, or administrator of your information slip). Your SIN card is not a piece of identification, and it should be kept in a safe place. If you are asked to provide your SIN in any other circumstances, you should refuse and advise the:
Anyone can contact your privacy officer in writing, in person, by email or by phone with their concerns. Under PIPA, a response is required within 30 days. Their contact information should be published on your website or in your office. If they are not satisfied with your response, they can make a compliant to the Office of the Information and Privacy Commissioner for BC. The contact information can be found at https://www.oipc.bc.ca/about/contact-us/ .
Can you remotely scrub a mobile device if it is lost or stolen?
Some devices can be disabled and/or scrubbed remotely.
If a portable device is lost or stolen, it should be immediately reported to:
It depends on whether it is encrypted.
USB keys are small and are easy to lose. The best practice is to never put sensitive information on a USB key. If files have to be saved to a USB key, they must be encrypted and/or password protected.
What is personal information?
Information, including Personal Health Information, about an identifiable individual which includes factual or subjective information about that individual. This information includes, but is not limited to, name, personal address, birth date, physical description, medical history, gender, education, employment and visual images such as photographs or videotapes.
What safeguards over personal information can be put in place?
Organizational safeguards such as:
Physical safeguards such as:
Technological safeguards such as :
Physicians are discouraged from letting personal information of patients leave Canada, even though there is no requirement under PIPA.
If you do want to use a service provider that is outside Canada, you can obtain consent from the patient to use their email address for appointment and recall services. You should ensure that no additional personal information is included in the emails such as name, Care Card number, medical conditions). For example, a recall message might say “Our records indicate you are due for a medical visit. Please contact our office to make an appointment.”
The Canadian Medical Protective Association (CMPA) does not condone use of non-Canadian-based service providers when personal information is involved.
Can I contract with a third party outside Canada for transcription services?
Physicians are discouraged from letting personal information of patients leave Canada, even though there is no requirement under PIPA.
If you do want to use a service provider that is outside Canada, you can anonymize the data (by using initials instead of name or by using an ID number that is not associated with their government-issued IDs). Then the data being transcribed cannot be tied to an individual by the third party.
The Canadian Medical Protective Association (CMPA) does not condone use of non-Canadian-based service providers when personal information is involved.
Can I grant remote access to a third party outside Canada for transcription services?
Physicians are discouraged from granting access to patients’ data in their EMR systems as the control over the information is compromised and risk of a breach is high.
If you have a third party confidentiality agreement for the services and can provide
These safeguards are difficult to accomplish with a third party.
The Canadian Medical Protective Association (CMPA) does not condone use of non-Canadian-based service providers when personal information is involved.
Can I use cloud-based services in my medical practice?
Some cloud-based services such as Google Cloud print and Microsoft Office 365 store data on servers in the U.S. Physicians are discouraged from letting personal information of patients leave Canada, even though there is no requirement under PIPA.
Some cloud-based services may store data on servers in Canada. Questions you can ask potential cloud providers are:
The Canadian Medical Protective Association (CMPA) does not condone use of non-Canadian-based service providers when personal information is involved.
How can we make third parties accountable for protecting confidential information shared with them?
Ensure you have a Confidentiality and Data Sharing Agreement in place.
What are the safest ways to transmit personal information?
Whenever possible, employ the following methods of transmitting information:
Less secure methods include:
It is a complex issue and needs to be dealt with on a case by case basis. The HA is governed by FIPPA and the physician’s office is governed by PIPA. The legislation is not united, so it helps to look at it from the point of view of “who has custody or control of the medical records”, “who has liability if the records are not adequately protected”, and “who is most likely going to get sued”? If it is determined that FIPPA applies, s. 3(2)(d) of PIPA states that PIPA will not apply. Legal custody and control is relevant because of the legislation.
There are many considerations that can affect how medical records will be accessed. For example:
Physicians and their staff are not allowed to access these records unless the practice is providing care.
What’s the difference between FIPPA and PIPA legislation?
Physicians who are working in a physician’s office but are also providing services to a public health organization will generally be governed by
There are some notable differences between PIPA and FIPPA :
Physicians should refrain from sharing their login information with other physicians.
