RMT Tech Talk: Are mixing business and personal calendars a good idea?
More and more we are hearing practitioners say that they want to have their patient appointments imported or synced with their personal calendar (such as Google calendar, iCal or Microsoft Outlook) so that they can better manage their time.
By Jessica Foster
Clearly, the technology to accomplish this exists, and the reality is that many complimentary health-care providers do in fact sync their professional and personal calendars. Given that the popular personal calendars mentioned above are all foreign-owned, it is very important that if you are planning to or are already syncing your treatment calendar with one of them, that you do it using technology that does not expose your patients’ personal health information (PHI). As a health-care professional, you are obligated to keep your patient PHI private. This privacy requirement extends to appointment data because it associates your patient’s name with you as the health-care provider.
Sign up for our once-weekly newsletter to get the latest research, news, and events sent straight to your inbox!
Many Canadian professionals mistakenly believe that it is fine if a U.S./foreign owned server provider stores your patient data on a server located in Canada. What they may not realize is that the USA Patriot Act applies to this situation. The Patriot Act, among other things, allows the United States law enforcement agencies to examine, remove, and copy any U.S.-owned company’s databases (including their clients’ stored data), business records, financial records, and more, without a warrant, – no matter where the server is located.
This immediately puts you on the wrong side of Canadian health care privacy laws. There is an argument that says it might be OK to do this if your patients have given you written permission to store their patient data on a foreign server (or on a foreign-owned server located in Canada) thereby exposing it to foreign privacy laws. However, it is unlikely your patients will agree due to obvious privacy concerns.
So, it’s not a good idea for you to blindly sync your treatment calendar with a foreign-owned cloud-based calendar service. Fortunately, for those wanting to sync calendars, there are methods to do so safely and still remain compliant with the relevant Canadian privacy regulations.
Some practice management systems that offer third-party calendar synchronization allow you to define the appointment information that is synced with your personal calendar. This will give you the control necessary to sync your data without violating applicable privacy laws. For example, you can choose to sync the date and time only so that patient personal information is not included. This option is extremely safe. Date and time plus patient first name and last initial. This option could also be considered “safe,” but not as safe as the first option.
Other calendar sync options that should be considered are the features that allow you to control the amount of appointment data that is shared with your personal calendar each time you sync (i.e. how many days worth of information back and forward in time are being pulled). You want to define the date window just wide enough so that you can plan your personal time efficiently in the near future. By minimizing the amount of appointment information that is shared on your personal calendar at any one time, you also minimize your risk.
Some tips for being compliant when syncing your treatment calendar:
- Ensure your professional calendar is on a Canadian located server and that the calendar/ practice management system you use is wholly-owned by Canadians. It would be a good idea to seek this assurance in writing. If your data is taken by a foreign government agency you can then prove in writing that you did what was required of you.
- Avoid using a patient’s complete name on the personal calendar you are syncing with. Your practice management service should allow you to exclude or de-identify the patient information.
- Do not put any personal health information (PHI) on your personal calendar. This includes a patient location, name, etc.
- Assume the worst – that any foreign-owned or operated server data will be appropriated by a foreign law enforcement agency and keep yourself compliant with your privacy obligations.
You can research PHI and the Personal Information Protection and Electronic Documents Act (PIPEDA) legislation to ensure you are not violating any Canadian privacy laws. In Canada there are two main sets of regulations you must comply with: The personal privacy legislation is found in the federal PIPIDA. The federal PIPEDA applies in all provinces except those that have substantially similar legislation. The PHI legislation varies by province and have names like PHIPA (Ontario), HIA (Alberta), PHIPPA and PIPA (B.C.) to name a few.
How compliant is your treatment calendar with Canadian PIPEDA and the provincial personal health information legislations?
Jessica Foster writes on behalf of mindZplay Solutions, provider of massage therapy websites and practice management solutions. To learn more, visit massagemanedger.com.