Massage Therapy Canada

Features Education Regulations
Privacy Regulation in Canada

In this article, we will discuss the regulatory issues respecting the treatment of health-care records as they pertain to massage therapists in Canada.

April 13, 2012  By Jessica Foster

In this article, we will discuss the regulatory issues respecting the treatment of health-care records as they pertain to massage therapists in Canada. This material is not intended as legal advice and you are encouraged to read and understand the acts and legislation that apply to you.

What constitutes personal health information?
Personal health information is defined as any identifying information about an individual in oral or recorded form that relates to the provision of health care to the individual and/or relates to the physical or mental health of the individual. The information includes but is not limited to:

  • Patient health-care appointment records;
  • Information relating to the current or historical state of an individual’s physical or mental health;
  • Information pertaining to treatment, that ties a patient name with their caregiver or clinic;
  • Billing information related to patient treatment.

Which regulations apply to me?
Throughout Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to both federal and provincial organizations except where substantially similar legislation is approved. Ontario (PHIPA), British Columbia (PIPA), Alberta (PIPA) and Quebec (Quebec Privacy Act) all have privacy and/or health-care information privacy legislation that is substantially similar and that applies in their jurisdictions.

Client appointment records
Client appointment records are considered health information. 
In December 2006, the Ontario Privacy Commission found a custodian of massage therapy appointment records and health information negligent of taking reasonable steps to protect their records from theft, loss and unauthorized use as required by Ontario’s PHIPA. The commissioner also found that the breaches were “easily avoidable.”
Third-party online Systems
Health-care providers may wonder if third-party online appointment and record-keeping systems are compliant with Canadian regulations.
If the provider you are using is Canadian-owned, has your data stored within Canada and follows data security best practices, you will be in good shape.


However, foreign-owned online appointment and record-keeping companies must adhere to their own country’s privacy laws. For example, any American-owned company must comply with the USA Patriot Act – independent of the country where the data is stored. The Act allows U.S. authorities to access, copy, use and disclose the stored data without obtaining a warrant. Further, the American-owned company is not allowed to inform you that your client data has been taken. This would result in you needlessly exposing your clients to the privacy laws of a foreign country. This could also require you, at the very least, to somehow acquire informed consent from your clients advising them that their private health data is subject to foreign country privacy laws.

Electronic client data can easily be securely stored and maintained in Canada by any Canadian-owned company that is subject to Canadian privacy law.

First off, you need to create a privacy and security policy. It should define the administrative, technical and physical safeguards that must be employed by you and/or any third-party agent acting for you.

Best practices for massage therapists
The 10 principles of PIPEDA compliance that should be covered in your policy include: accountability, identifying purpose of information collection, knowledge and informed consent of individuals, limiting collection for necessary purpose, access only as required, accuracy of records, safeguarding of records, openness of information policy and practice, individual access to records and knowledgeable compliance.

For electronic record security, your policy should ensure the information storage system you use employs data security, encryption, firewalls, password protection and authorized personnel access, use and related security precautions.

Finally, you should create a contingency plan to inform your patients/clients in the event their information is compromised from a privacy or security aspect.

Loose lips sink ships
Health information custodians must not allow access to their client records by unauthorized persons. This can take the form of carelessly leaving paper records in your unlocked fireproof cabinet, leaving a laptop, thumb drive, PC or smartphone accessible to others or even just speaking about an identifiable client to an unauthorized person. Ensure client information is kept confidential at all times!

“When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else.” 
– David Brin

Until next time, be well.

MindZplay Solutions is a provider of massage therapy websites and online practice management solutions. To learn more about mindZplay, visit us at or call toll free 888-373-6996.

Print this page


Stories continue below