How to Build and Implement Your Own Privacy Management Plan

Part II – Risk Analysis Self Assessment

Guiding Principle 1, “Accountability”, is the foundation upon which to carry out a privacy and security audit of your organization’s information handling, processing, disclosure and storage policies and procedures. It will also be your guide to developing and implementing your privacy management program.

Identify The Information That You Must Protect

Some information is excluded from protection under the Privacy Acts, except in certain circumstance. So what information must you protect?

For the purpose of conducting business, the privacy acts define personal contact information as being excluded from the provisions of the act. Personal contact information includes, name, phone numbers, email address and physical address. *PIPA further excludes personal information used for personal or domestic purposes. Quote “the collection, use or disclosure of personal information, if the collection, use or disclosure is for the personal or domestic purposes of the individual who is collecting, using or disclosing the personal information and for no other purpose“.

When referring to personal information that is provisioned for under the acts, it is referred to as Personal Identifiable Information (PII); Personal Health Information (PHI) in Canada and Protected Health Information (PHI) in USA.

Personal Health Information means information about an identifiable individual’s health and includes information about the individual’s health care providers, health numbers (such as care card number) and insurance.

It is important to note that when an individual’s identifying information, is directly linked to the personal information related to that identity, then the identifying information becomes PII or PHI and is protected under the Acts.

Conversely, when all identifying information is removed from the personal information to which it was related and remains so, the personal information is rendered anonymous and harmless and is excluded from the provisions of the Act.

Risk Analysis Self Assessment

Now assess and document how personal identifiable information (PII) is currently handled. Use the following questions to establish the framework from which to build your privacy management program. (Each question is followed by some example answers that are typical to a multidisciplinary clinic):

1. what is PII and how sensitive is it?
   • All information collected from a client for the purpose of their visit and which is attached to their identity. E.g. Intake forms / health history, consents, waivers and related communications, etc.
2. why is PII collected?
   • The information collected must be relevant and specific to the client’s chief complaint and purpose for seeking treatment/service. What record do you keep to prove this relevance? No other information should be collected.
3. how, is PII collected?
   • On paper; secure electronic form; web form; email; audio; recorded virtual sessions; appointment book; etc
4. what is PII used for?
   • Is the information being used for a purpose other than that for which it was collected? e.g. A client may return with a new injury that is unrelated to the information collected previously. Must always be relevant.
5. where is PII kept?
   • Paper in lockable filing cabinets; electronic files online; electronic files on mobile media drives and devices; remote servers; remote third party reception services and their devices; etc
6. what security measures are there to protect PII?
   • Lockable filing cabinets; password protected reception display monitors; automatic or mandatory log out from all mobile devices; reception area barriers; display monitors not visible to clients in reception area; electronic encryption of information while in transmission; etc.
7. who has access?
   • record of who draws client paper records; minimize and identify reception staff access; restrict access to staff on a need to know basis; identified service providers / practitioners; clinic owner; administrator/s; etc
8. who uses PII?
   • identified reception staff; identifiable individual or multiple service providers / practitioners; third party service providers and online services; referred specialists; insurance companies; parents and guardians; lawyers and legal requirements; etc
9. who is PII shared with?
   • other service providers (team approach); specialists; parents/guardians; insurance companies; lawyers; law enforcement agencies; etc
10. how long does PII need to be kept? (See Guiding Principles 5 – 2. & 3.)
    • The Guiding Principles are very clear on this. Quote: Personal information must only be retained for as long as is necessary for the fulfillment of the purposes for collection as well as to allow sufficient time for recourse, appropriate to the purpose for its collection.
    • The longer that PII is retained beyond this provision, not only does the risk of exposure and possible compromise increase considerably with time, but also, there is an increasing probability that a complainant may prove your non compliance with the Privacy Acts in the event of a breach of that information.
    • Important: Compliance does not guarantee that PII will not be compromised. It does however mean that by strictly following and recording implementation of the Guiding Principles, you can prove that you have done everything reasonably possible to protect PII and are thereby exempt from liability.
    • Be aware that some regulatory colleges require you to retain PII for a much longer duration than may appear logically reasonable. If a practitioner has concern in this respect, then it is up to the individual practitioner to address this consideration directly with their college and/or if necessary, and in order to safeguard their own compliance, clearly inform the client of such retention requirements at the outset of treatment and include such a statement in their Client Consent Agreements.

In Part III – Building The Privacy Management Plan, you will be using your answers to the above ten questions to define and document each of your policies and procedures for implementation.