Confused about how health care information privacy laws relate to digital record keeping? You’re not alone. Registered Massage Therapists are starting to use a ton of different software programs to manage their professional lives. Everything from scheduling appointments to emailing clients and submitting benefits claims is becoming more and more reliant on technology. The options for products to help us accomplish these tasks are endless – how do you know which products are safe to use, and which ones may put us at risk of violating a privacy law or CMTO regulation?
Let’s break it down into some easily digestible steps.
1. Familiarize yourself with PHIPA
Get familiar with your obligations as a massage therapist when it comes to health information. The CMTO outlines many requirements for us, but it’s important to know that there are other privacy laws that RMTs have to be compliant with too. This step is probably the most challenging for most (the language used in the law can be intimidating), but knowing what you’re responsible for is the most essential step to making sure you meet those obligations.
The Personal Health Information Protection Act (PHIPA) was enacted in 2004. PHIPA covers the use of health care information for non commercial operations, such as providing client care or sharing information with other health care providers. Under this law, RMTs are considered health information custodians, which makes us responsible for the information we gather about our clients. It’s important to note that this Act is specific to Ontario.
2. Pick services which store data in the country
PHIPA doesn’t specify that records have to be kept in the country, but it does have security requirements we need to follow to prevent unauthorized access to, or disclosure of, our client’s health records. Specifically:
“A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal. ” 2004, c. 3, Sched. A, s. 12 (1).
The issue with storing information in another country has to do with that requirement. Businesses operating in other countries don’t have to follow the same privacy laws that massage therapists in Ontario do. This can lead to trouble if the privacy laws in that country allow those businesses to share information more freely, or if other agencies in that country can access the information without getting consent – or even letting the health information custodian know it’s being accessed.
There is a law in the USA called the USA Patriot Act, which grants incredibly broad powers to a number of government agencies regarding the access of any records stored in the USA. In 2004, the privacy commissioner of British Columbia David Loukidelis spoke out against the law, and mentioned that “that once information is sent across borders, it’s difficult, if not impossible, to control”. Since RMTs are responsible for the privacy of the information they gather from patients, and for controlling access to it, storing the information in the US is a definite privacy “don’t”.
Even if you’re using a record keeping system in the country, it’s up to you to figure out if the system is compliant with privacy laws. If there’s a violation, you’ll be the one that’s responsible, so check before you start to use a record keeping system!
4. Follow best-practice password standards
Accounts on even the most secure systems can be compromised by poor passwords. Using dictionary words, common patterns, short passwords, and other easy-to-avoid pitfalls can be the difference between making sure your clients’ data is safe, and having their information leaked.
When in doubt, use a password that meets (at least) the following criteria:
- isn’t a dictionary word (ex: house, princess, computer, password)
- has at least 1 uppercase and 1 lower case letter
- has at least 1 number
- has a non-alphanumeric character (@, !, #, etc.)
- is at least 8 characters long
Don’t use the same password as you do on other online services, and make sure not to share your account information. If you’re sharing a system with multiple therapists, reception staff, or other users, make sure each one can get their own login! If you use the ClinicWise Clinic Management Database system, this can be done by creating Sub Accounts for each user.
5. Use services that encrypt data
Information that you enter into a web-based program doesn’t go right from point A (your computer) to point B (the server computer the program is running on) and back again. It actually passes through a series of computers, in a sort of information relay.
When you hear websites talking about SSL or encryption, they’re talking about converting the information that’s being sent from your computer to the server computer into a format that doesn’t let those extra, relay computers make sense of the information. For instance, instead of the information looking like “credit card number: 4520 ….”, to those other computers it looks like “aZ56Rlf0s2 ….”. This helps to prevent the information from being read or accessed with your knowledge or consent, which means you’re compliant with privacy laws.
The easy way to tell if a website uses encryption for data is to look at the URL (www address) for the website. The address will always start with one of two things; http or https. If you see the s, then the information being sent to the site is encrypted. If you’re not sure, contact the company that makes the system.
One easy way to make sure you’re staying compliant is by using the ClinicWise Clinic Management Database system. However, regardless of which massage therapy clinic program you decide to use, make sure to check up on their privacy practices!
Have any privacy law compliance tips of your own? Share them in the comments!