Privacy Commissioner Issues Guidelines for Virtual Care Visits

By Clancy Catelin

The Information and Privacy Commissioner of Ontario released a practical set of guidelines for the health sector regarding conducting virtual health care visits (the “Guidelines”). Virtual health care can include secure messaging, telephone consultation, and videoconferencing. The Guidelines include an overview of the various privacy and security considerations health information custodians (“HICs”) should have in mind as they plan and deliver virtual health care. The timing of these guidelines is fitting, as this month Ontarians mark the anniversary of the Covid-19 pandemic, which has accelerated the adoption of virtual health care options across the province.

Regardless of whether heath care is provided in-person or virtually, HICs must comply with the provisions of the Personal Health Information Protection Act, 2004 (“PHIPA”) with regard to the personal health information (“PHI”) of their patients. However, protecting PHI in the context of virtual health care may require updates to a HICs privacy practices, as virtual health care raises new kinds of cybersecurity risks that are not as prevalent in the analog world.

The Guidelines identify several key PHIPA requirements that have implications for how virtual care is delivered. These include:

  • minimizing the personal health information that is collected, used, or disclosed to that which is reasonably necessary to provide care;
  • taking reasonable steps under the circumstances to protect PHI against theft, loss, or unauthorized use or disclosure by using technological and physical safeguards;
  • ensuring that records are retained, transferred, and disposed of securely;
  • choosing PHIPA compliant service providers and putting agreements in place to ensure that these service providers handle PHI appropriately and report any potential privacy breaches to the HIC;
  • ensuring that accurate and complete records are retained and that patients continue to have the same access and correction rights as they would to information collected in-person.

Using appropriate technology and adopting appropriate safeguards when providing virtual care are also key considerations. The Guidelines make several practical safeguard suggestions to help HICs navigate this transition, including:

  • Avoiding the use of personal email, unencrypted messaging, and free cloud-based videoconferencing platforms;
  • Using up-to-date technical safeguards such as firewalls and malware/antivirus protection;
  • Encrypting data on all mobile and portable storage devices, as well as attachments including sensitive information;
  • Using and maintaining strong passwords and the most privacy protective settings;
  • Using an email confidentiality notice and disclaimer;
  • Ensuring patients understand how to use electronic medical record portals, if available;
  • Ensuring that patient information is up to date and confirming the identity of a patient before sending sensitive information;
  • Recommending that the patient apply available safeguards themselves, such as a private, password-protected email;
  • Assessing the work-from-home environment and how physical safeguards can be implemented in that environment;
  • Updating training, agreements, and internal processes for ensuring the secure use of email, messaging, and videoconferencing, as well as documentation of these interactions.

The Guidelines also highlight the importance of case selection by health professionals for virtual health care and ensuring that the right resources and procedures are in place to allow for the safe and effective provision of care. HICs also need to obtain patient consent and inform them of the limitations and risks of virtual care visits, including potential privacy breaches related to the use of electronic communication.

For a HIC to ensure that they are continuing to meet their obligations with respect to PHI, the Guidelines recommend undertaking privacy impact assessments for new technology and processes, as well as updating privacy policies and staff training. HICs looking for help meeting these requirements can find further advice in the Guidelines, as well as other resources such as Ontario Health’s Virtual Visits Solution Standard and the IPC’s fact sheets Communicating Personal Health Information by Email and Protect against Phishing.

If you or your organization are providing virtual health care services but have not yet revised your privacy procedures or require staff training, please contact us.


Posted in:

Back to Top