New privacy and security guidance for virtual care

The Information and Privacy Commissioner of Ontario recently unveiled new guidance for virtual care providers: Privacy and Security Considerations for Virtual Health Care Visits: Guidelines for the Health Sector. Although the guidance relates specifically to custodians subject to Ontario’s Personal Health Information Protection Act, every health care provider in Canada who is currently using any virtual technology to provide health care services should review the guidance. Most of the same principles exist under the privacy laws of other provinces, and thus the guidance will be useful for health professionals no matter where they practice. 

Steps to enhance privacy and security

The guidelines outline a number of steps to enhance privacy and security in virtual care. First, health care providers are reminded that, in addition to the privacy law, their own regulated health professions college will have professional standards that also apply, and there may be other relevant provincial laws related to health care provision that should not be overlooked.   

The guidelines recommend that when providing health care virtually, a health care provider should first conduct a privacy impact assessment (a PIA) of the tools and processes that will be used. Some provincial privacy laws make it mandatory to conduct a PIA.  Even where it isn’t mandatory, doing a PIA is good practice to ensure that any privacy or security risks are identified and mitigated at the outset. 

Providers are advised to develop and implement a “virtual health care policy” to address the specific issues and risks associated with the provision of care virtually. The provider should ensure that staff receives appropriate training in privacy and security to reduce risks. Delivering care virtually raises new privacy and security risks to patient personal information and to the privacy rights of health care providers, staff and others; remote connectivity and working from home may materially impact patients’ ability to protect their confidentiality. Providers need to take that into account. 

The guidelines also indicate that custodians should have an information security management framework for monitoring, assessing and mitigating security risks, and must have a privacy breach protocol that is triggered in the event of a breach. 

Selecting a virtual platform vendor

The guidelines provide helpful information for health care providers when selecting a vendor for a virtual care platform, including recommended contractual terms and key issues to avoid. The guidelines also address key issues such as email and messaging technology, videoconferencing and patient portals. Detailed advice about safeguards and consent is also included.

Next steps

All health care providers who are currently providing care virtually should review this new guidance and take steps to ensure that their own practices appropriately protect patient privacy, and meet the legal and professional standards in their jurisdiction.