PIPEDA & PHIPA 13(2)

PIPEDA*, PHIPA** section 13(2) and the findings HO-004 and HO-007 are clear; data in transit or on mobile devices must be highly encrypted. The responsibility to keep the data encrypted rests with the ‘information custodian of record’ (typically, the practitioner).

Email servers and third-party upload sites are no different than a mobile device, and may be worse because there is no physical limitation to a security breach.  Even though a cloud site will encrypt the transmission of the data (https), while on the cloud site the data is likely unencrypted, or only protected by a password that is held by the server administrator.  This opens up the potential for a privacy breach and compromise of confidential information.  It is your responsibility to ensure that no one can access patient records except those people authorized by the patient. SafeReferral helps you safeguard that responsibility. Read a case report about patient privacy here.

*Personal Information Protection and Electronic Documents Act **Personal Health Information Protection Act, 2004