PIPA for Physical Therapists

The Legislation

There are two privacy Acts in British Columbia governing public and private organizations: FOIPPA and PIPA.

Freedom of Information and Protection of Privacy Act (FOIPPA)

Most public health care organizations, including hospitals, health authorities, MSP, PharmaNet, and the health ministries, are subject to the privacy protection measures contained in British Columbia’s public sector privacy legislation: the Freedom of Information and Protection of Privacy Act (FOIPPA). It guarantees the right of the public to gain access to, and request correction of, personal information collected about them by public organizations and prevents the unauthorized collection, use, or disclosure of personal information by public organizations. FOIPPA does not apply to personal information contained in private clinics.

Personal Information Protection Act (PIPA)

The Personal Information Protection Act, which came into effect on January 1, 2004, covers all physical therapists within private practice and requires all clinics to comply with rules regarding the collection, use, and disclosure of personal information.

The core principle of PIPA is that personal information should not be collected, used, or disclosed without the prior knowledge and consent of the patient, subject to limited exceptions (e.g., where the collection, use, and disclosure is clearly in the interests of the individual and consent cannot be obtained in a timely way and where the collection, use, and disclosure is necessary for medical treatment of the individual and the individual is unable to give consent or does not have the legal capacity to give consent). PIPA includes an implied consent provision, which applies to health care practitioners in most circumstances.

What is Personal Information?

Personal information is any information about an identifiable individual, excluding contact information and work product information. It includes an individual’s gender, age, ethnic origin, race, identification numbers, financial and credit information, personal health information, consumer preference information, religious affiliations, donation history, travel history, personal habits, and personal history.

The Role of the Physical Therapist

Maintaining confidentiality is a fundamental responsibility of physical therapists, and is a central part of the therapist-patient relationship. The patient ultimately owns his or her personal health information, but the physical therapist acts as an accountable custodian of medical information that her or she collects, protecting its disclosure through appropriate consent.

Express consent, whether verbal or written, should not be required during the course of providing direct patient care or for various administrative purposes, such as billing. In such cases, implied consent is sufficient. You may reinforce the concept of implicit patient consent by posting information and providing brochures for your patients on your clinic’s PIPA policy.

How to Protect Patient Information: 10 Principles

The following 10 principles form the basis of the Personal Information Protection Act (PIPA) and other privacy legislation around the world. This document provides general background and guidance, and does not replace PIPA.

  1. Accountability: Physical therapy clinics are responsible for the personal information under their control, both patients and employees.A privacy officer (preferably a physical therapist) must be designated as responsible for the clinic’s compliance with PIPA. The privacy officer must understand what kind of information is covered under PIPA, its collection and protection. Key functions of the privacy officer include: helping patients understand what is happening with their information; developing and implementing the clinic’s policies and procedures to protect personal information; training employees about privacy policies, procedures, and confidentiality agreements; responding to inquiries and complaints; and overseeing privacy practices.
  2. Identifying purpose: Before collecting personal information, physical therapy clinics should advise patients why they are collecting it and how it will be used. Each practice should therefore assess its existing information collection practices to define and document purposes for which personal health information is collected. If it is not possible to identify the purpose, the clinic should stop collecting the data.
  3. Consent: Physical therapy clinics are required to obtain patients’ consent to collect, use, or disclose personal information, unless they can satisfy one of the limited exceptions to obtaining consent. Consent may be implied or expressly given; it may be given either verbally or in writing. To validly consent, patients must have a reasonable understanding of what information will be collected, who will have access to it, how it will be used, and to whom it may be disclosed. Patients should be able to withdraw consent at any time, subject to legal or contractual reasons and reasonable notice.
  4. Limited collection: Physical therapists should only collect the minimum personal information necessary to fulfill stated goals. Information must be collected by fair and lawful means.
  5. Limiting use, disclosure, and retention: Physical therapy clinics must use and disclose personal information in accordance with the purposes given to the patient. New uses and disclosures require new consent. Information should be kept only for as long as necessary to meet the original purposes, or as required by law.
  6. Accuracy: Patient information must be kept accurate and complete as required to fulfill stated purposes.
  7. Safeguards: Physical therapy clinics must safeguard personal information to protect against security risks such as loss, theft, unauthorized disclosure, copying, use, or alteration. Technological safeguards include the use of passwords and encryption. Security measures include the use of security clearances and limiting access on a “need-to-know” basis. Security safeguards appropriate to the sensitivity of the information are to be used, regardless of the medium in which patient information is stored.
  8. Openness: Physical therapy clinics should inform patients about the personal information they hold, the purposes for which it is used, the persons to whom it is disclosed, and how an individual may access it. In part, this can be done through patient brochures or posters.
  9. Individual access:  (patient and employees)Patients are entitled to access their personal information to ensure its accuracy and completeness, and to identify to whom it was disclosed, subject to certain exceptions. Clinics may charge a minimal fee for such access.
  10. Challenging compliance: Patients can challenge a clinic’s compliance with these principles through the practice’s required complaints process or the College of Physical Therapists of British Columbia and, failing a satisfactory resolution, the Office of the Information and Privacy Commissioner of British Columbia.

How to Comply with PIPA: 10 Steps

These 10 steps are a companion to the 10 Principles for protecting patient information in physical therapy clinics. These steps lay out actions you should take to comply with PIPA. You are probably already doing most of it and just need to review and formalize how personal information is handled.

  1. Put someone in charge: Each clinic must have a privacy officer (preferably a physical therapist) responsible to help patients understand how personal information is being managed and be responsible for ensuring compliance with PIPA.The privacy officer must understand what kind of information is covered under PIPA, how to collect information, what information is required from patients, what information to disclose, to whom it can be disclosed and why, when consent from the patient will be required and when it is not, how patients can access their own records, how patients can request corrections to their records, and what fees can be charged for access. The privacy officer is responsible for ensuring that the clinic’s privacy policy (see step 6) and procedures are fully implemented and working effectively.
  2. Become familiar with the Act: The next step is for the privacy officer, clinicians, and employees to familiarize themselves with PIPA’s privacy principles and with the resources on the PIPA website. Also informative are the website of the BC Information and Privacy Commissioner and from the website of the government of BC
  3. Review how your practice handles personal information: The first question to ask is “What personal information do we collect and how does our clinic currently manage it?” This simply means your privacy officer will conduct an internal inventory that includes the following three steps, which may be performed together or in order:
    • taking an inventory of the personal information you currently have;
    • identifying the information needs of the different functions within your clinic; and
    • identifying your current information practices (including how and why your clinic collects, uses, and discloses personal information).
  4. Put your clinic to the test: Consider whether your information handling practices meet PIPA obligations. If you are currently applying the well-established ethical and professional principles to the management of patient information, it is unlikely that significant changes are needed. Develop a plan to overcome any deficiencies, starting with the most problematic areas. These include your handling of the most sensitive personal information collected or of the information most vulnerable to improper use or disclosure.
  5. Implement changes: After assessing your information-handling practices, you may need to implement changes to your information practices and systems (technological and otherwise). Regardless of the size of your practice, any person who collects, uses, or discloses personal information should be involved in the implementation of your privacy program. Compliance with the privacy principles may require a change to some of your computer systems or how your practice physically stores information.
  6. Develop a privacy policy: PIPA requires you to prepare and follow a privacy policy, which has to be available for review by patients and employees. Consult the staff who handle personal information in your clinic when developing your policy. Consider policies and practices in the following areas:
    • How information will be safeguarded by physical, technological, and organizational security measures
    • How to ensure personal information is collected accurately and disposed of properly
    • How to give patients notice of why you are collecting information about them and how to obtain and record consents and handle withdrawals of consent
    • How you will maintain the privacy of your employee’s personal information
    • Personal information is contained on much more than patient charts or electronic medical records; computer screens, conversations, phone calls, e-mails, faxes, photocopiers, courier deliveries, and other media all need safeguarding.
  7. Train staff: A privacy plan should include a program to train staff about privacy procedures and policy.No matter how good your privacy policy and practices are on paper, or how secure your technology is, it is your staff members who will be responsible for consistently complying with the privacy principles on a patient-by-patient basis.Therefore, staff training will be essential to your success. Every one of your employees, associates, contractors, partners, or agents who collect, use, or disclose personal information will need to understand what they must do to comply with PIPA’s privacy principles and your clinic’s privacy policy. Staff should also sign a confidentiality agreement (see Menu).
  8. Develop or revise forms and communications materials: Review and revise your forms, brochures, websites, and so on, to comply with PIPA and inform your patients about your privacy policy and information practices. You can rely on a patient’s implied consent to collect, use, and disclose personal information for medical treatment, but you may wish to give them notice of this purpose at the time you collect the information for this purpose to be valid. A number of forms  are available for download:
  9. Review and revise contracts: Your clinic is responsible for personal information in its custody as well as under its control. This includes personal information that you have transferred for processing, or information that a third party may have collected on your behalf. To ensure that this personal information is properly protected, your contracts with third parties should clearly require the third parties to comply with PIPA and any policies you have developed to properly manage personal information. Contracts should specify the purpose for which the third party is allowed to use the personal information and prohibit any other use or disclosure.
  10. Develop an effective complaints handling process: PIPA requires you to create a process for handling privacy complaints.It is always more efficient for you to resolve complaints through your privacy officer than to involve an outside regulator (for complaints about privacy and confidentiality, the College of Physical Therapists of BC, and, failing a successful resolution, the Office of the BC Information and Privacy Commissioner www.oipcbc.org Having an effective complaints-handling process is an important part of managing privacy risks within your clinic.

How to Ensure Accuracy of Patient Records

Patient records should:

  • Be written as soon as possible after an event has occurred.
  • Be written clearly, legibly, and in such a manner that they cannot be erased.
  • Be accurately dated and signed, with the name of the author being printed alongside the first entry and name or initials on subsequent entries.
  • Be written in such a manner that any alterations or additions are dated and signed in such a way that the original entry can still be read clearly.
  • Be readable on any photocopies.
  • Be written, wherever possible, with the involvement of the patient.
  • Be clear, unambiguous, and written in terms that the patient can understand.
  • Abbreviations and symbols, if used, should be ones commonly used by physical therapists.
  • Be consecutive.
  • Be complete
  • Include history, medications, subjective findings, objective findings, physical therapy diagnosis, treatment and advice received and/or given concerning precautions and/or contraindications.

How to Ensure Security of Patient Records

For all types of records, staff working in physiotherapy clinics where patient records are kept should:

  • Secure files in an area with restricted access
  • Control access to fax machines
  • Query the status of strangers and ask for I.D. if appropriate
  • Know who to tell if anything suspicious or worrying is noted
  • Keep security systems information confidential
  • Sign confidentiality agreements that outline penalties for inappropriately collecting, using or disclosing personal information.
  • Keep health records on-site wherever possible. When records must be taken off-site they should be kept secure at all times.
  • Protect Laptop and handheld computers with passwords
  • Encrypted data wherever possible

Paper records should be:

  • Protected from public access (e.g. by a physical barrier such as a reception desk)
  • Formally booked out from the normal filing system
  • Tracked if transferred with a note made or sent to the filing location of the transfer
  • Returned to the filing location as soon as possible after completion of treatment
  • Stored securely within the clinic or office, arranged so that the record can be found easily if needed urgently
  • Stored closed when not in use so the contents are not seen accidentally
  • Inaccessible to members of the public and not left – even for short periods – where they might be looked at by unauthorized persons
  • Kept safeguarded when held in storage, and be clearly labeled. (Protected from loss, theft, unauthorized disclosure, copying, use, alteration)

With electronic records staff should:

  • Log out of computer systems or applications when not in use (whether leaving for the day or for a few minutes)
  • Not leave a terminal unattended and logged-in
  • Keep computers away from public view and access
  • Not share user IDs or passwords with other people. If other staff members have a need to access records appropriate access should be organized for them – this must not be by using other users ID or password
  • Change passwords at regular intervals to prevent anyone else using them
  • Not use short passwords, or use names or words that are known to be associated with them (e.g. children’s or pet names or birthdays). Passwords should never be written down
  • Revoke user IDs and passwords as soon as authorized users resign or are dismissed
  • Always clear the screen of a previous patient’s information before seeing another
  • Use a password-protected log-out to prevent casual viewing of patient information by others
  • Install firewall software where Internet access to computer system exists
  • Use audit trails to track when a record is accessed, by whom, and whether the accessing individual has the necessary authorization
  • Ensure data backup intervals and methods, and disaster recovery plans, are in place and periodically reviewed
  • For large computer systems, develop and implement rules on access levels for different users for different purposes
  • Be aware that wireless computer systems may not be secure from public access

This information is provided by your physiotherapist, the Physiotherapy Association of BC and the College of Physical Therapists of BC in cooperation with the BCMA and the Office of the Information and Privacy Commissioner for BC