Privacy of Information

Question 1

Acts/ Statues

Answer 1

Most commonly though of form of law (BC Legislation).
PIPA, HPA, HPOA

Question 2

Regulations

Answer 2

Developed by the government to establish the workings of a regulatory college.

Question 3

Bylaws

Answer 3

Made by the regulated college to manage internal operations

Question 4

Case Law

Answer 4

Court decisions used as a guide by lawyers and judges when similar situations arise

Question 5

Guiding Documents

Answer 5

Document published by the college to guide clinical practice such as Standards of Practice and Policy statements.
These documents are not “law”.

Question 6

What are some provincial and federal privacy organizations?

Answer 6

Office of the Information & Privacy Commissioner of BC
-enforce the privacy of information
Government of Canada Protection Act

Question 7

What are the acts under of Office of the Information & Privacy Commissioner of BC?

Answer 7

Freedom of Information and Protection of Privacy Act (FOIPPPA-BC).
Personal Information Protection Act (PIPA-BC).

Question 8

Freedom of Information and Protection of Privacy Act (FOIPPPA-BC)

Answer 8

protection act used in public health care settings (hospitals, health authorities, MSP).
guarantees the right of the public to gain access to their information and request corrections.
does not apply to information gathered by private sectors.

Question 9

Personal Information Protection Act (PIPA-BC)

Answer 9

applies to Kinesiologists working in private settings.
BC-based business must comply with this act.
personal information cannot be collected, used, or disclosed without prior informed consent.

Question 10

What act falls under the Government of Canada Protection Act?

Answer 10

Personal Information Protection and Electronic Document Act (PIPEDA)
-government of Canada enforcement of information privacy
-law giving individuals the right to access and request corrections about their personal information

Question 11

What are you protecting?

Answer 11

Personal Information
Confidentiality

Question 12

Personal Information

Answer 12

Any identifiable items about a person including gender, age, ethnic origin, identification numbers, financial information including credit card information, personal health information, religious affiliations, travel and donation history, personal henbits, and personal history.
Any and all information collected from a client (health or othterwise) cannot be shared without informed consent from said client.

Question 13

Confidentiality

Answer 13

Maintaining confidentiality is fundamental to any practicing Kinesiologist and is central to the client-therapist relationship.
-protecting information through appropriate consent and security means
-disclosing only what have been authorized
-destroying information that is no longer required or has reached its retention limit

Question 14

How are you protecting?

Answer 14

Use secure files.
Encrypt sensitive data.
Use encrypted communication channels.
User authentication.
Role-based access.
Session management.
Electronic Health Records (EHR) systems
Secure devices.

Question 15

Encrypt sensitive data

Answer 15

all patient data stored digitally should be encrypted both at rest (stored data) and in transit (data being transmitted) to prevent unauthorized access.

Question 16

Use encrypted communication channels

Answer 16

utilize secure, encrypted email services or patient portals for communicating sensitive information; has to be HIPA approved.

Question 17

User authentication

Answer 17

implement strong password policies, multi-factor authentication (MFA), and user authentication protocols to ensure that only authorized personnel can access patient data.

Question 18

Role-based access

Answer 18

restrict access to patient information based on the user’s role within the organization.

Question 19

Session management

Answer 19

automatically log out users from systems after a period of inactivity to reduce the risk of unauthorized access.

Question 20

Electronic Health Records (EHR) systems

Answer 20

use certified and secure EHR systems that comply with relevant legal standards from handling patient data.
paper medical records must be kept in a locked file, at rest or in travel (locked in folder in vehicle).

Question 21

Secure devices

Answer 21

ensure that all devices used in access patient information (computers, tablets, smartphones) have up to date antivirus software, firewalls, and are configured with security settings.

Question 22

What are the 10 privacy principles?

Answer 22

Accountability
Identifying Purposes
Consent to Collect, Use and Disclose
Limiting collection
Limiting Use, Discloser, and Retention
Accuracy
Safeguards to Protect Information
Openness
Individual Access
Challenging Compliance

Question 23

Accountability

Answer 23

Kinesiologists are responsible for the personal information of both the clientele and employees.
Privacy Officer must be appointed to work in compliance with PIPA-BC.
Privacy Officer Contact info needs to be accessible to the public.
Sole proprietor/self-employed Kinesiologists all need their own privacy policy document.

Question 24

What are the responsibilities of the Privacy Officer?

Answer 24

Help clients understand what happens to their information.
Develop and implement organizations policies and procedures.
Train employees about privacy policies and confidentiality.
Respond to inquiries and complaints.
Oversee privacy practices.
Ensure compliance with government legislation.

Question 25

Identifying Purposes

Answer 25

An organization or Kinesiologist should be able to identify WHY they are collecting the information and what benefit it has to be collected. If no reason can be identified, then it should no longer be collected.

Question 26

Consent to Collect, Use, and Disclose

Answer 26

Kinesiologists are required to obtain consent to collect, obtain and disclose personal information. Consent should be expressed verbally and/or in writing. Implied consent should only be used in the absence of ability to give expressed consent.

Question 27

Limiting Collection

Answer 27

Kinesiologists/organization are only permitted to collect the minimum amount of information necessary to fulfill the requirements for optimal care for the clientele. If you do not need the information, do not collect it.

Question 28

Limiting Use, Disclosure, and Retention

Answer 28

Kinesiologist can only collect personal information for the purposes communicated to the client. If collection purposes change, this must be communicated to the client and new consent obtained. A "release of information" form is recommended whenever a clients personal information is being requested.

Question 29

Accuracy

Answer 29

Information obtained and maintained must be kept up to date.

Question 30

Safeguards to Protect Information

Answer 30

Kinesiologist/organizations must take steps to safeguard personal information against loss, theft, unauthorized disclosure, copying or use. Encrypted digital products. -encryption is a process used to protect data by converting it into a coded format that is unreadable to anyone who does not have the proper authorization or the key to decode it. Paper information in single or double locked safes at all times when not in direct use. Passcodes used on all digital devices. EMR that complies with PIPEDA.

Question 31

Openness

Answer 31

Kinesiologist must divulge what information is being held and how it is used. It has to be known how an individual can access their information.

Question 32

Individual Access

Answer 32

Clients are entitled to access their personal information to ensure accuracy and completeness. Organization can charge a minimal fee.

Question 33

Challenging Compliance

Answer 33

Members of the public are able to challenge a kinesiologist/organizations compliance with privacy of information by contacting the chief privacy officer. Clients an also report to the Office of the Information and Privacy Commissioner of BC (OPIC) and file a complaint. -Kinesiologist reply to the OIPC must be completed within 30 days.

Question 34

What is a Privacy Officer?

Answer 34

Every organization must assign one or more Privacy Officer(s). Responsibilities include... -conducting privacy audit -develop privacy policy -implement and maintain privacy policy -manage privacy training -respond to requests of access or corrections to personal information -work with the Office of the Information and Privacy Commissioner during investigations

Question 35

Privacy Policy

Answer 35

Should contain a number of sections that clearly outline how personal information is managed, secured, and dealt with. Goal is to put in place practices that protect personal information from unauthorized access, disclosure, or tampering. -restricted access, locked cabinets -security clearance -passwords, encryptions, virus protection, firewalls

Question 36

Complaints

Answer 36

A client is upset about how information is obtained and protected, so the following steps must be taken by the kinesiologist... -brought to the immediate attention of the organization -provide the client with information on how to contact the Chief Privacy Officer -information on how to lodge a formal complaint with provincial and federal commissioner