By Stan Shaw, Founder, CTS
Stan was the Regional Lead for Vancouver at the Physician Information Technology Office (PITO), established through Doctors of BC. PITO assisted physicians in private practice by providing funding for family doctors and specialists, and deploying teams across British Columbia to help clinics successfully adopt and improve the use of electronic medical records (EMRs) .In general, if your medical clinic is located in BC, and operates internally within this province, you must comply with BC’s Personal Information Protection Act (PIPA). Assuming this is exclusively the case for your clinic, compliance to PIPEDA, including its new mandatory breach reporting requirements, is not required. However, this does not mean that PIPEDA is not relevant in British Columbia. There are cases where some businesses must, in fact, comply with PIPEDA mandatory breach requirements. If you are wondering whether this applies to you, seek legal advice.
Essentially, it is your judgement call. But consider the risks of failing to report very carefully. When you make this decision, consider the potential impact to your patients and any other affected individuals. For example,
Consider also the potential for litigation through failure to comply with PIPA, contractual obligations, or other applicable legislation.
Fortunately there are lots of resources available that can help.
Here is a new resource that has been designed especially for medical clinics in British Columbia: Guidelines for Responding to a Privacy Breach, from the Doctors of BC Privacy Toolkit.
Some key advice from this document is that:
While PIPA does not currently include an explicit requirement for organizations to report breaches to the OIPC, doing so will assist the practice to demonstrate that it has taken reasonable steps to respond to the privacy breach. It may also be helpful towards resolving a complaint made to the OIPC by someone who may have been affected.
Additional help can be found in an excellent toolkit called Privacy Breaches Tools and Resources, written by the OIPC. It has helpful details on on how to respond to a breach, including a breach policy template you can adapt for your clinic, and a procedure checklist that can be printed out and placed in a “policy and procedures binder”, ready to use, in case you need it.
The Doctors Technology Office, at Doctors of BC, is constantly adding new resources, and conducts workshops and webinars to help clinicians protect their offices. We will be writing about some of them in future posts. In the meantime, check their website, or contact them for specific help.
Legal note to all of the above: This is intended for general information only. It is not intended to provide legal or other advice. The key message here is: make sure you have policies and procedures in place, before a privacy breach occurs, that will help you to appropriately notify those who need to be informed.