Pa
PATIENT AND CARE TEAM
DIGITAL COMMUNICATION
POLICY
Patient and Care Team Digital Communication Policy
Page 1 of 15
Version 1 – January 2020
Patient and Care Team Digital Communication Policy
Page 2 of 15
Document metadata Revisions Version # Date Author
Version 1.0 March 12, 2020 IPSSC
Contact/author [email protected]
Document name Patient and Care Team Digital Communication Policy
Approved by Information Privacy and Security Standing Committee
CIO Digital Leadership Committee
BC Health Regulators
Reviewed by Office of the Information and Privacy Commissioner
Date approved
Date effective
Next review due by
ARCS/ORCS number
SFP LAN filing location
OCIO security Low Sensitivity
classification
Patient and Care Team Digital Communication Policy
Page 3 of 15
Contents Document metadata .................................................................................................................................... 2
I Document Purpose ..................................................................................................................................... 4
II Scope .......................................................................................................................................................... 4
III Responsibility ........................................................................................................................................... 4
IV Background .............................................................................................................................................. 4
V Definitions ................................................................................................................................................. 5
VI Any Questions / Comments? ................................................................................................................... 5
1.0 Communicating with Clients ............................................................................................................ 6
2.0 Communication Between Providers ................................................................................................ 6
3.0 Permitted and Prohibited Digital Communications ........................................................................ 7
4.0 Consent ............................................................................................................................................. 8
5.0 Identity Validation ............................................................................................................................ 8
6.0 Device & Application Requirements .............................................................................................. 10
7.0 Encryption ....................................................................................................................................... 11
8.0 Record Keeping .............................................................................................................................. 12
9.0 Breach Notification ....................................................................................................................... 12
APPENDIX A: Client Notification Form ...................................................................................................... 13
APPENDIX B: Validation ............................................................................................................................. 14
Validation Scripts ................................................................................................................................... 14
Options for Validating: ........................................................................................................................... 14
APPENDIX C: Mobile Device Security Guidelines ...................................................................................... 15
Patient and Care Team Digital Communication Policy
Page 4 of 15
I Document Purpose This policy describes how staff and health care providers can use digital communications in a consistent
manner to communicate with Clients and other care Providers. The purpose is to establish specific
requirements and processes to mitigate privacy and security risks associated with the use of digital
communication.
II Scope This policy applies to all BC health organizations across all private and public settings. This includes
administrative staff and Providers in all points of health care delivery and is applicable to all personal
information transmitted using digital communications. This policy only applies to the transmission of
personal information.
Public communication is not within the scope of this policy and is left to the discretion of each
organization. Additionally, out of scope of this policy, is the general sharing of patient information within
the health sector that is addressed under each organization’s posted collection notices.
III Responsibility It is the responsibility of all Providers who communicate with Clients electronically to read and ensure
compliance with the policies and standards in this document. Non-compliance with any of the policies or
standards may result in Providers being in breach of legislation, regulations, bylaws, policies or
standards of practice.
Provincial legislation and regulation require both public and private Providers to protect the personal
information in their care and custody. It is the responsibility of Providers to ensure compliance with the
applicable privacy legislation (FOIPPA and/or PIPA), college by-laws and standards of practice, as well as
each organization’s privacy policies.
IV Background This policy has been developed in collaboration with BC health authorities, Doctors of BC, the College of
Physicians and Surgeons of BC, the BC College of Nursing Professionals, BC Health Regulators, the
Patient Voices Network and the Ministry of Health to provide consistent policy guidance for all health
care providers in the province of BC.
The goal of this policy is to empower Clients with the information they need, reduce the burdens
associated with obtaining access to personal information and improve timeliness for communication
and information sharing between Clients and Health Care Providers (Providers).
Patient and Care Team Digital Communication Policy
Page 5 of 15
V Definitions “Client” refers to patients receiving health care from providers as well as their family members and
Representatives;
“Consent” means the voluntary agreement of an individual to allow something to occur;
“Digital communication” includes the use of email, phone, text, video conference and any other form of
electronic transmission used to send patient information or facilitate an exchange of information
between Providers and Clients;
“Employer provided devices and applications” means an employer issued, handheld, mobile device or
software that provides information production, access, or storage capabilities for business use (e.g.,
mobile phone, tablet);
“Encryption” means the process of encoding and transforming information so that it is unreadable;
“Identity verification” means the process used in this policy to confirm the identification of the
individual requesting or receiving personal information;
“Health care provider” means any individual who is providing care to a patient including regulated and
non-regulated health professionals, hospital and clinic administrative staff;
“Personal information” means any recorded information about an identifiable individual other than
contact information;
“Privacy Breach” means when personal information is accessed, collected, used, disclosed or disposed
of without authorization or results in loss;
“Recipient” refers to a Client or Provider who is receiving personal information;
“Representative” means an individual who is legally able to make decisions formally on behalf of the
patient as referenced under the Representation Agreement Act, the Freedom of Information and
Protection of Privacy Act, the Public Guardian and Trustee Act, or the Adult Guardianship Act.
“Sender” while Clients may send personal information, for the purpose of this policy, the term will be
used to describe a Provider who is sending personal information to either a client or another Provider;
“Transitory records” mean documentation that is not an integral part of an administrative or
operational record series, that is not regularly filed or is only required for a limited period of time for the
completion of a routine action or for the preparation of an ongoing record. This may include temporary
communication such as an email or text which is not recorded to a patient’s health record;
VI Any Questions / Comments? This document is updated annually and as required. Comments and suggestions are always welcome
and may be used to inform future versions. For clarification and assistance with this document, or to
provide feedback, please email:
Patient and Care Team Digital Communication Policy
Page 6 of 15
1.0 Communicating with Clients
Clarification:
A Provider may send a Patient’s own information via email, text or other digital modality if the patient
has been notified of the risks (Section 3) and the Provider has made a reasonable effort to validate the
identity of the Client (Section 4).
Communications with a patient’s family members, friends or Representatives should only occur if the
patient has consented to the disclosure of information or the disclosure is authorized under an
enactment of BC or Canada.
Reference(s):
FOIPPA: Section 33 and 33.1
PIPA: Section 8, 17 and 18
Representation Agreement Act
Public Guardian and Trustee Act
Adult Guardianship Act
2.0 Communication Between Providers
Clarification:
Communication between members of the care team does not require consent by a patient. Unnecessary
personal information should be excluded where possible.
Sending Providers rely on the legal and professional requirements that apply to all other health care
professionals for assurance that the information will be appropriately protected from unauthorized
access, collection, use and disclosure, copying, modification, or disposal while in the receiving Providers’
care.
1.1 Providers may use digital communications to send personal information to Clients for the
purpose of managing care.
2.1 Providers may use digital communications to send information to other Providers and members
of the care team to manage care, refer patients or consult with other health care professionals.
Patient and Care Team Digital Communication Policy
Page 7 of 15
Reference(s):
FOIPPA: Section 30
PIPA: Section 34
3.0 Permitted and Prohibited Digital Communications
Clarification:
The above permitted or prohibited digital communication is based on legislation and regulation. The
policies of each organization may have additional limitations on permitted communication.
Reference(s):
Pharmaceutical Services Act section 27
Pharmaceutical Service Act Information Management Regulation section 2
FOIPPA
PIPA
College of Physicians and Surgeons of British Columbia and the BC College of Nursing
Professionals
3.1 Permitted digital communications:
Patient care
Scheduling appointments (general day / time / location)
Appointment & testing reminders
Providing results
Providing follow-up instructions
Prescription information (NOT prescribing, providing medication advice and answering questions only)
Large / bulk data requests (must be encrypted according to internal policy)
Emergencies (only if no other option exists or there is no other means of contacting)
Order prescribing
3.2 Prohibited digital communications:
Medication prescribing
Emergencies (unless no other option exists or there is no other means of contacting)
Patient and Care Team Digital Communication Policy
Page 8 of 15
4.0 Consent
Clarification:
This policy does not rely on written patient consent for the use of digital communications. Instead,
patients are notified of the potential risks associated with the use of digital communications via a
Patient Notification for Digital Communications form (Appendix A). Once the patient has received the
form, consent is confirmed virtually through the Identity Validation process.
Documentation of patient consent is not necessary under this policy given that consent will be
confirmed on an ongoing basis by the patients’ continued use of digital communications. At any point in
the process, patients can choose to stop communicating with their health care provider through a digital
modality.
Reference(s):
PIPA: Section 8
FOIPPA: exceptions outlined in section 26(d)(i), 30.1(a), and 33.1(1)(b)
Appendix A
5.0 Identity Validation
Clarification:
Confirming the identity of the recipient prior to disclosing information digitally assists in preventing the
unauthorized disclosure of personal information.
Identity validation does not need to occur if the Provider can confidently determine that Personal
Information is going to the correct individual based on the following:
that the request is not suspicious or unusual,
that the request is relevant to the Client’s care,
that the request does not constitute large volumes of sensitive data,
that there has not been a significant lapse in time between communication, and
that the patient has previously accepted the risk to digital communication,
when replying directly to an email or text message.
5.1 Prior to sending any personal information, Providers must verify the identity of the recipient. The
Provider must also confirm that the Client accepts the potential risks associated with digital
communication.
4.1 By agreeing to use a digital modality, Clients provide consent for personal health information to
be shared between them and their Provider.
Patient and Care Team Digital Communication Policy
Page 9 of 15
Reference(s):
FOIPPA: Section 30
PIPA: Section 34
Appendix B
Clarification:
Without the confirmation of a digital relationships, digital communications cannot take place.
Reference(s):
Appendix B
Clarification:
All first-time correspondence with the Client or Provider who will be a recipient of personal information
requires identity validation by the sender.
Reference(s):
Appendix B
Clarification:
Clarification:
A formal mechanism for revoking consent is unnecessary as the Client can choose to discontinue the
digital relationship during the Identity Validation process, either by communicating their decision to not
receive information digitally, or by not replying at all.
5.4 Patient can opt out anytime by simply not participating in the identity validation process.
5.2 Validation is achieved by requiring the Client to directly contact the provider or respond to the
initial communication sent by the Provider to continue the digital relationship.
5.3 Identity validation must be done on communication with any Client recipient who has not been
previously validated.
Patient and Care Team Digital Communication Policy
Page 10 of 15
Reference(s):
FOIPPA: Section 26(d)
PIPA: Section 9
Appendix B
6.0 Device & Application Requirements
Clarification:
When possible, employees avoid the use of personal cellphones, laptops and other devices to ensure
appropriate and consistent privacy practices and security measures are employed.
Reference(s):
Please refer to your organization’s policies for the appropriate use of personal devices to conduct
business.
Clarification:
When using personal devices to communicate with Clients, Providers must be in compliance with
legislative requirements under FOIPPA and PIPA to make reasonable security arrangements to prevent
unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risk.
Reference(s):
Please see Appendix C for guidance.
6.1 Where available, employer-provided devices and applications must be used for any
communication with a Client or with another member of the care team.
6.2 In the event that Providers use their personal device to communicate with a Client, reasonable
security measures must be employed.
Patient and Care Team Digital Communication Policy
Page 11 of 15
Clarification:
In complying with privacy legislation, each organization will have the appropriate privacy and security
practices to address their own context.
Reference(s):
Clarification:
Providers are to restrict disclosure of personal information to what is relevant and necessary for the
purpose of the communication based on the “need to know”.
Reference(s):
FOIPPA: Section 30
PIPA: Section 17
7.0 Encryption
Clarification:
Large amounts of information (full patient files, multiple records) or information that falls outside of the
permitted uses in Section 2 should be handled in accordance with internal policy.
Reference(s):
7.1 Information being sent in accordance with this policy does not require additional encryption,
unless requested by the client.
6.4 Limit the amount of Personal Information to only what is required.
6.3 When sending other non-Personal Information (e.g. health education and promotional
information), please refer to your organizational policies for guidance.
Patient and Care Team Digital Communication Policy
Page 12 of 15
Section 1.2 Clarification
8.0 Record Keeping
Clarification:
Clarification:
Please refer to your organization’s records management & retention policies and/or professional college
standards of practice for guidance on the appropriate storage and retention of records.
Reference(s):
Best Practices Guidance documents e.g. CMPA
9.0 Breach Notification
Clarification:
Each Provider will follow their organization’s procedures for containing breaches, evaluating risk,
notification and prevention.
Reference(s):
Please refer to your organization’s breach notification policy or professional college standards of
practice for guidance on appropriate breach notification processes.
8.1 Emails and text messages should be treated as transitory communication.
9.1 In the event unauthorized access, collection, use, disclosure, copying, modification or disposal of
a Client’s Personal Information.
Patient and Care Team Digital Communication Policy
Page 13 of 15
APPENDIX A: Client Notification Form Notification for the use of Digital Communications
Digital Communications can be a convenient way to communicate with your care team between visits, but
there are risks when using these technologies to send personal information.
We’ll do what we can to confirm that any personal information we send is being received by you and only
you, but it’s never possible to have 100% certainty who we are communicating with outside of a face-to-face
visit.
You need to be aware that we cannot control what happens to information once it is stored: 1) on your
device; 2) by telecommunications providers; 3) by software or application providers; or 4) by other
applications that may have access to your messages.
You are responsible for the security of your own computer/tablet, email service and telephone.
Risks of using Digital Communications
The information could be requested, viewed, changed or deleted if others are allowed access to your phone,
tablet or email account.
Information may be vulnerable if stored on a computer/device that has been compromised by viruses or
malware.
Organizations may have to disclose information where required by law or under court order.
Electronic communications can be intercepted by third parties.
Your data may be stored and / or accessed outside of Canada.
What can you do?
The below are suggested best practices meant to help you protect your information once it is in your control.
It is important to note that these are general best practices and will not guarantee your information won’t be
accessed by a third party.
Protect your passwords! Someone could pose as you by sending us a request from your device or email account
Use download Apps from trusted sources (Google Play, iStore). If the info you are wanting to communicate is of a sensitive nature, you may want to seek a more secure method of communication
Delete emails and texts you no longer require
Use your device settings to control what information your Apps have permission to access
Avoid sending personal information while using public Wifi
Use permission controls on your device to ensure that none of your applications (Apps) have unnecessary access to your text messages and/or emails
Use virus protection on your computer or device, and regularly scan
Patient and Care Team Digital Communication Policy
Page 14 of 15
APPENDIX B: Validation Validation Scripts
Hello
[Organization or clinic name] has records available for you. Please respond to this message with the last
4 digits of your Personal Health Number (PHN) to confirm that you are the correct individual and that
you consent to these records being sent to [insert email address].
Before you respond, it is important that you understand the potential risks associated with the use of
digital communications by reviewing our (LINK) Notification for the Use of Digital Communications.
Options for Validating:
Option 1: Provide your contact information to the Client and ask them to send the first message;
Option 2: Send an initial text or email (see APPENDIX B) to confirm you have connected with the right
individual; or,
Option 3: Ask the recipient to verify, by text or phone, information that only the intended recipient
would know (e.g. month/year of birth, last 4 digits of PHN, reference number, date of last clinic
visit, or other previously agreed upon information).
or
or
or or or
Patient and Care Team Digital Communication Policy
Page 15 of 15
APPENDIX C: Mobile Device Security Guidelines
1. Regularly update the operating system and app
2. Use built-in security features
a. Find my phone (locate your phone and remotely wipe the data
b. Set App permissions to minimize access to unnecessary information
c. Set App location permissions to ‘while using the app’ (vs ‘always’)
3. Avoid connecting to unsecured Wi-Fi networks
4. Download apps only from trusted sources
5. Understand the risks of jailbreaking / rooting
6. Set automatic locks and use a strong password
7. Consider multilayered mobile security solutions