How often do you and your team think about privacy concerns in the office? All businesses are expected to be aware of and enforce the privacy laws. This, of course, includes your dental practice, but do you know for sure that those rules aren’t slipping through the cracks? Do you have a designated Privacy Officer to keep track? You do not want to end up in a legal battle because you or one of your team members forgot to obtain consent, or ended up losing patient information due to lax security measures.
Are you and everyone in your practice following all of the privacy principles? How many are they? Where are they located? How do you keep your practice in line with those rules? I just have one word: PIPEDA. If you’re already asking, what is PIPEDA, then your practice might be in danger of not following all the privacy laws in your province. So let’s start with the obvious question:
What is PIPEDA?
If you’re not aware, PIPEDA is the Personal Information Protection and Electronic Documents Act, an act that helps your office protect you from any legal repercussions when it comes to safely collecting and storing patient data. This act comes with ten mandatory principles for all businesses to follow:
- Be accountable
- Identify the purpose
- Obtain valid, informed consent
- Limit collection
- Limit use, disclosure, and retention
- Be accurate
- Use appropriate safeguards
- Be open
- Give individuals access
- Provide recourse
If you are concerned that your practice is not enforcing all 10 of these principles, in addition to the 6 Privacy No-No’s, at the end of this blog post is a PIPEDA checklist to get you started. I hope that the privacy no-no’s below will help you identify in which areas you need to be more vigilant and which areas you are providing the proper privacy care because not only is this good for your business but it will establish a growing trust between you, your staff, and your patients.
1 Neglecting to obtain consent
This is another huge no-no that is not only a mandatory PIPEDA principle (#3) but can also land you in hot legal water if you don’t comply. However, not all consent is the same. Consent can be obtained through a simple nod of agreement, checking a box labelled “I agree” or through a more concrete form of consent, a signature. According to the PIPEDA principles, “consent is considered valid when it is reasonable to expect that individuals can understand the nature, purpose, and consequences of the collection, use or disclosure to which they are consenting.” So again, do not be vague or even neglect to tell your patients in detail what exactly they are consenting to, whether you’re collecting information (personal or otherwise) or recommending a procedure.
2 Inaccurate or outdated information
How accurate or up-to-date are your patient records? How long has it been since any changes have been made? PIPEDA principle #6 “Be accurate” is about keeping accurate and updated records in your office. When collecting the information, it is important to make sure that all the information you collect from your patients is as complete and up-to-date as necessary. What happens if it isn’t? The decisions you make depend on the information you collect, so if you are working with inaccurate or outdated information, such as outdated medical information or even the wrong email address, crucial or even life threatening mistakes can be made. Keep in mind that information should be routinely checked and edited in accommodation with changes occurring in your patient’s lives. People move, get married, start or stop certain medications, and develop or grow out of certain allergies. It is your responsibility to keep your records from falling behind.
3 Forgetting to put proper safeguards on patient data
Ask yourself how secure is your patient data? Is it locked away in a filing cabinet or protected by a password? PIPEDA principle #7 makes it mandatory to use appropriate safeguards to protect from risk of theft or loss. Keep everything backed up on a secure device. Too many times natural disasters struck a practice and all their stored information was instantly wiped out.
PIPEDA’s principles provide several ways for you to properly safeguard all your patient data:
- security clearances
- limiting access on a “need-to-know” basis
- staff training
And if you are one of the few offices keeping your files in paper folders, some security measures to have in place should include:
- Locked filing cabinets
- Restricting access to the office
- Alarm systems
4 Being too vague about your intentions
For this particular No-No, I have added two PIPEDA principles that apply here:
#4 Limit Collection. Seeing as this particular principle prohibits use of information for anything other than which it was collected, it is your responsibility to inform your patients in a clear and concise manner exactly the purpose of which you are collecting their information. This applies to collecting personal information, medical information and even financial information. Do not be vague or misleading. Tell them exactly what they need to and should know, regarding your nature and purpose for the collection.
#8 is “Be Open” and since trust depends on your ability to follow this particular principle, it is imperative to understand how important transparency is. Make sure your patients and the members of your team know “that you have policies and practices for the management of personal information.” Not only should they know why you’re collecting their information but also that you follow certain policies and practices to protect that information. Make that information readily available in a form that is easy to read and understand, and as per PIPEDA, the following should be included:
- the name or title, and the address, of the person who is accountable for your privacy policies and practices and to whom complaints or inquiries can be forwarded;
- a description of how to gain access to personal information the organization holds;
- a description of what personal information is held, including a general account of its use;
- copies of brochures or other means which explain your policies, standards, or codes; and
- a description of what personal information you share with related organizations (e.g., subsidiaries).
5 Denying a patient’s request for information
Denying a patient’s request for their own information is a huge no-no. #9 of the PIPEDA principles, “Give Individuals Access” makes it mandatory to provide information to the patient who requests it. The principle states that “Individuals have a right to access the personal information that an organization holds about them.” And to fulfill this particular responsibility, the principle further states that you are to “provide any help the individual needs to prepare a request for access to personal information.”
6 Keeping personal information for longer than necessary
What is the timeline for keeping certain personal information on file? Is it 7 days, 14 days, a month, a year? Have you always struggled with this question? PIPEDA principle # 5 “Limit Use, Disclosure and Retention” states clearly to “keep personal information only as long as necessary to satisfy the purposes. It is up to you to “Institute maximum and minimum retention periods that take into account any legal requirements or restrictions and redress mechanisms.”
The privacy laws differ slightly in British Columbia, Alberta, and Quebec, so if you are from one of these provinces and you want to learn more about the privacy laws in your province, click on the corresponding link below:
- In Alberta, the privacy office is the Office of the Information and Privacy Commissioner of Alberta http://www.oipc.ab.ca/
- In British Columbia, the privacy office is the Office of the Information and Privacy Commissioner for British Columbia http://www.oipc.bc.ca/
In Quebec, the privacy office is The Commission d’accès à l’information du Quebec http://www.cai.gouv.qc.ca/