Click4Time Privacy Risk Assessment
Personal Identifiable Information (PII) Self-Assessment for Health Practitioners
Welcome to Your Privacy Risk Assessment
This self-assessment tool will guide you through evaluating how your practice handles Personal Identifiable Information (PII) and Personal Health Information (PHI). After completing all questions, you’ll receive tailored recommendations based on Part III of the Privacy Management Guide.
Guiding Principle 1 – “Accountability” is the foundation upon which to carry out a privacy and security audit of your organization’s information handling, processing, disclosure and storage policies and procedures.
Understanding What Information Must Be Protected
Personal Health Information (PHI) means information about an identifiable individual’s health and includes:
- Information about the individual’s health care providers
- Health numbers (such as care card number)
- Insurance information
Important: When an individual’s identifying information is directly linked to personal information related to that identity, the identifying information becomes PII or PHI and is protected under the Acts.
Conversely: When all identifying information is removed from the personal information and remains so, the personal information is rendered anonymous and is excluded from the provisions of the Act.
This assessment consists of 10 essential questions that will help you document how PII is currently handled in your practice and establish a framework for your privacy management program.
What is PII and how sensitive is it?
- All information collected from a client for the purpose of their visit and which is attached to their identity
- Intake forms / health history
- Consents, waivers and related communications
Why is PII collected?
- The information collected must be relevant and specific to the client’s chief complaint and purpose for seeking treatment/service
- What record do you keep to prove this relevance?
- No other information should be collected
How is PII collected?
- On paper
- Secure electronic form
- Web form
- Audio recordings
- Recorded virtual sessions
- Appointment book
What is PII used for?
- Is the information being used for a purpose other than that for which it was collected?
- Example: A client may return with a new injury that is unrelated to the information collected previously
- Must always be relevant
Where is PII kept?
- Paper in lockable filing cabinets
- Electronic files online
- Electronic files on mobile media drives and devices
- Remote servers
- Remote third party reception services and their devices
What security measures are there to protect PII?
- Lockable filing cabinets
- Password protected reception display monitors
- Automatic or mandatory log out from all mobile devices
- Reception area barriers
- Display monitors not visible to clients in reception area
- Electronic encryption of information while in transmission
Who has access to PII?
- Record of who draws client paper records
- Minimize and identify reception staff access
- Restrict access to staff on a need to know basis
- Identified service providers / practitioners
- Clinic owner
- Administrator(s)
Who uses PII?
- Identified reception staff
- Identifiable individual or multiple service providers / practitioners
- Third party service providers and online services
- Referred specialists
- Insurance companies
- Parents and guardians
- Lawyers and legal requirements
Who is PII shared with?
- Other service providers (team approach)
- Specialists
- Parents/guardians
- Insurance companies
- Lawyers
- Law enforcement agencies
How long does PII need to be kept?
- Personal information must only be retained for as long as is necessary for the fulfillment of the purposes for collection
- Must allow sufficient time for recourse, appropriate to the purpose for its collection
- The longer that PII is retained beyond this provision, the greater the risk of exposure and possible compromise
- Some regulatory colleges may require you to retain PII for a much longer duration than may appear logically reasonable
Important: Compliance does not guarantee that PII will not be compromised. It does however mean that by strictly following and recording implementation of the Guiding Principles, you can prove that you have done everything reasonably possible to protect PII and are thereby exempt from liability.
Assessment Complete with Recommendations
Review your responses and tailored recommendations based on Part III of the Privacy Management Guide.
Powered by Click4Time Practice Management Software | click4time.com
DISCLAIMER: This assessment is for informational purposes only and does not constitute legal advice. Consult a qualified attorney or privacy professional regarding your specific compliance obligations.
Privacy Risk Assessment Tool – Terms of Use
1. Proprietary Software
This Privacy Risk Assessment Tool is proprietary software owned exclusively by Click4Time Software Inc. All rights reserved.
2. License Grant
This tool is licensed exclusively for use by Click4Time customers in good standing. Use of this tool constitutes acceptance of these terms.
3. Prohibited Activities
- Copying, reproducing, or distributing this software
- Modifying, adapting, or creating derivative works
- Reverse engineering, decompiling, or disassembling
- Removing or altering copyright notices or branding
- Using for purposes other than personal practice assessment
- Sublicensing or transferring rights to third parties
4. Intellectual Property
All content, including but not limited to text, recommendations, design, code, and methodology, are protected by copyright, trade secret, and other intellectual property laws.
5. No Warranty
This tool is provided “as is” without warranty of any kind. Click4Time Software Inc. is not liable for any compliance decisions made based on this assessment.
6. Not Legal Advice
IMPORTANT: This tool does not constitute legal advice or professional consultation. Click4Time Software Inc. is not a law firm and does not provide legal services. The recommendations provided are general guidelines only and may not address all requirements applicable to your specific situation.
You must consult with a qualified attorney or privacy professional regarding your specific legal obligations under PIPEDA, PIPA, HIPAA, PHIPA, or other applicable privacy laws and regulations.
7. Legal Action
Unauthorized use may result in civil and criminal penalties. Click4Time Software Inc. reserves the right to pursue all available legal remedies.
8. Contact
For licensing inquiries or to report unauthorized use: support@click4time.com
© 2025 Click4Time Software Inc. Patent Pending.