Sign up for our once-weekly newsletter to get the latest research, news, and events sent straight to your inbox!
Many Canadian professionals mistakenly believe that it is fine if a U.S./foreign owned server provider stores your patient data on a server located in Canada. What they may not realize is that the USA Patriot Act applies to this situation. The Patriot Act, among other things, allows the United States law enforcement agencies to examine, remove, and copy any U.S.-owned company’s databases (including their clients’ stored data), business records, financial records, and more, without a warrant, – no matter where the server is located.
This immediately puts you on the wrong side of Canadian health care privacy laws. There is an argument that says it might be OK to do this if your patients have given you written permission to store their patient data on a foreign server (or on a foreign-owned server located in Canada) thereby exposing it to foreign privacy laws. However, it is unlikely your patients will agree due to obvious privacy concerns.
So, it’s not a good idea for you to blindly sync your treatment calendar with a foreign-owned cloud-based calendar service. Fortunately, for those wanting to sync calendars, there are methods to do so safely and still remain compliant with the relevant Canadian privacy regulations.
Some practice management systems that offer third-party calendar synchronization allow you to define the appointment information that is synced with your personal calendar. This will give you the control necessary to sync your data without violating applicable privacy laws. For example, you can choose to sync the date and time only so that patient personal information is not included. This option is extremely safe. Date and time plus patient first name and last initial. This option could also be considered “safe,” but not as safe as the first option.
Other calendar sync options that should be considered are the features that allow you to control the amount of appointment data that is shared with your personal calendar each time you sync (i.e. how many days worth of information back and forward in time are being pulled). You want to define the date window just wide enough so that you can plan your personal time efficiently in the near future. By minimizing the amount of appointment information that is shared on your personal calendar at any one time, you also minimize your risk.
Some tips for being compliant when syncing your treatment calendar:
- Ensure your professional calendar is on a Canadian located server and that the calendar/ practice management system you use is wholly-owned by Canadians. It would be a good idea to seek this assurance in writing. If your data is taken by a foreign government agency you can then prove in writing that you did what was required of you.
- Avoid using a patient’s complete name on the personal calendar you are syncing with. Your practice management service should allow you to exclude or de-identify the patient information.
- Do not put any personal health information (PHI) on your personal calendar. This includes a patient location, name, etc.
- Assume the worst – that any foreign-owned or operated server data will be appropriated by a foreign law enforcement agency and keep yourself compliant with your privacy obligations.
How compliant is your treatment calendar with Canadian PIPEDA and the provincial personal health information legislations?
Jessica Foster writes on behalf of mindZplay Solutions, provider of massage therapy websites and practice management solutions. To learn more, visit massagemanedger.com.