Privacy Q&A

Aug 17, 2021 | Blog

Q1: Do patients/clients and/or family members have the right to record an interaction with me without my knowledge or permission? Can an audio recording be used in a court of law against healthcare workers?

This response is a summary of a legal opinion provided by CDBC legal counsel during the time this question was submitted. Audio recordings in the context of a healthcare relationship have not been squarely addressed by the courts. However, there is enough information available to provide reasonably solid advice.

In short:

  • a patient does have the right to record a counseling session without the dietitian’s consent,
  • a dietitian does not have a right to expect that the patient would ask permission before making a recording, and
  • a recording could be used in court.

Reasons for the legal advice: The Supreme Court of Canada has stated that the health professional is the owner of the health record but “the information that a patient reveals…remains one’s own…”. The patient has control of their information which suggests that they can deal with it however they wish. It is not an offence under the Criminal Code for a patient to record a conversation to which they are a party without the other party’s consent. Neither the “Freedom of Information Protection of Privacy Act” (FIPPA) nor the “Personal Information Privacy Act” (PIPA) applies to the patient, although the provisions apply to a dietitian’s disclosure of the patient’s information, depending upon whether the dietitian is working in an public healthcare institution (FIPPA) or a private clinic (PIPA). The BC “Privacy Act” makes it an offense to violate the privacy of another but it does not create an absolute right to privacy; only a right that is reasonable. Based on these Acts, it is doubtful that a dietitian or other healthcare practitioner has a right to privacy regarding their advice in a counselling session. Although regulatory cases where audio recordings were used in court were not found, there are many examples in family law. Audio recordings of conversations are generally admissible as evidence if the court is satisfied that the evidence is relevant to the issue and the recording is truth worthy. A recording of a counseling session would likely be treated in a similar manner. You are encouraged to seek legal counsel for more information as it pertains to your own situation.

Q2: If a patient discloses confidential information to me after being referred by a doctor and requests the information remain confidential between myself and the patient, can it legally remain confidential? Am I obligated to tell the doctor about anything related to nutrition that might affect the patient's condition?

If it has not been consented to, or if it has been expressly denied, you may not disclose personal dietetic-related information about a patient to their physician, unless the failure to disclose could cause significant harm to your client or others. You should continue to work with the patient to encourage consent so as to provide full disclosure of the patient’s status and care to the admitting or most responsible physician, such that optimal care can be provided. In the absence of consent, you should advise the physician that they do not have full information about the patient, but that due to confidentiality, you are not permitted to disclose more. It is important for you to understand the privacy legislation (for private practitioners: Personal Information Protection Act – PIPA; for public healthcare practitioners: Freedom of Information and Privacy Protection Act – FIPPA). You are encouraged to seek legal counsel. If you work for a Health Authority or other employer, it is also important that you understand your workplace policies on these situations. You should speak with a manager or supervisor to determine the limitations/expectations on your involvement with your patient.

Q3: I work in Private Practice and have been sending my client follow-up notes to the referring specialist. The client is aware and has asked me (verbally) to also send my notes to their family physician. Other than charting this request in my notes, is there anything else I need to do?

Your client is requesting that you send your documentation to their family physician. Per CDBC Consent to Treat Guidelines, which reference the Healthcare Consent and Care Facilities Admissions Act, section 9, as well as CDBC Privacy Guide (Step 3 Obtain Consent). You may accept verbal consent, and document appropriately in the medical record. There is no need to request written consent to be able to send your documentation to a family physician.

Q4: How should patient identifiers be communicated in an email to maintain confidentiality?

The CDBC does not have a specific policy on this matter. Instead, privacy is addressed through the CDBC Code of Ethics: Principle 5 – Respect, Dignity and Privacy, as well as in the CDBC Privacy Guide in the section titled: Guidelines for Use of Email or Fax. This serves as a guide to all dietitians regardless of the area of practice. It is up to the employer to set policies on privacy within an organization. The CDBC is legislated under the Health Professions Act to inform individuals of their legal rights, including privacy legislation. Employers and private practitioners use the following legislation to develop workplace privacy policies and procedures:

The key focus of all privacy legislation is the protection of personal information. This is defined as any identifiable information about an individual, including age and birth date, ethnic origin, race, financial and credit card information, wage or salary, home contact information, medical information, Social Insurance Number, religious and political affiliations, personal habits, preferences and activities, photographs submitted to an organization for identification purposes and the contents of employee personnel files. It is important to note that personal information does not include the individual’s name, business title, and business contact information. This is considered “public information.” Personal information published by individuals in public directories, on their business cards and on social media is also considered public information. Therefore, it would be against privacy legislation to email a patient’s full name in combination with any of the items listed as “personal information”, such as medical information.

Q5: Is there anything to consider when contacting clients by email? Is there a privacy issue with emailing clients? If so, what do I need to do to contact or email clients?

Per the Virtual Dietetic Practice Guidelines (scroll down on the QA page), “Dietitians discuss and provide information on confidentiality and security with regards to the use of the technology included in their services.” When contacting clients, FIPPA, which legislates public healthcare practitioners, mandates the storage of personal information in Canada. This means, you must use an email that is associated with a server where data is stored within Canada. For example, Gmail does not store its email content on Canadian servers. Private practice dietitians are governed by PIPA, which only encourages (rather than FIPPA, which mandates) the storage of personal information in Canada. If you are unable to assure that your client is using a secure email service, you should:

  • have a published privacy policy, which outlines the safeguards you have in place to protect your client’s medical record as well as the manner with which your client is able to request access to that medical record. This privacy policy should disclose if you are storing personal data on servers outside of Canada,
  • have clearly explained the risks to your client about the potential for private information to be obtained in a public setting by a member of the public, and
  • document consent obtained by the client to demonstrate the client’s understanding of risk.

For more information, you are encouraged to refer to CDBC Privacy Guide section Guidelines for the Use of Email or Fax Best Practices.

Q6: An insurance company has contacted me wanting to verify a client claim. Does noting that someone is a client go against confidentiality?

No. Consent to contact you to confirm services is implied when a client has sent your name to an insurance company. This may be done if the client is looking to receive reimbursement from an insurance company.  Disclosing client information without their permission is considered breech of privacy. Therefore, before you can verify client status, it is prudent to confirm that the client has consented to having the insurance company contact you under its Terms of Service. Other steps to support client privacy and their insurance claims would be to inform the insurance company that the client will be contacted to obtain consent. This may be in a documented verbal or written permission format to be able to release information to release information (e.g., receipts).

Q7: If an insurance company seeks information about someone who is not a client, is it okay to say that person is not a client if I have not worked with them? What if a potential client books an appointment, but cancels or misses the first session and never rebooks?

The best approach is to inform the insurance company that you have not worked with the client since there will be no client record. It is not pertinent to inform the insurer that a client attempted to establish contact with the you.

Q8: I’m looking for the best way to keep and organize my client records. Many dietitians seem to use programs such as Practice Better. I’m wondering if there’s an issue with this as the information is not necessarily stored in Canada (it’s a US company). Would this work if I add a note on this in my consent form? Or is there a better way recommended to keep records, besides paper.

You are encouraged to review the CDBC Privacy Guide, specifically the section titled Guidelines for Protecting Clinical Records Outside the Practice.

If you work in a public health setting, such as a hospital, FIPPA requires that client’s personal information be stored on servers within Canada. If you work in a private clinic or as a private practice dietitian, PIPA recommends that ideally, you collect and store data on servers that are based in Canada. However, as mentioned above, if your servers are in the United States, this needs to be disclosed to the client. As well, risks should be transparent, and your conversation must be documented per the CDBC Standards for Record Keeping. In order to ensure that the disclosures you use on your consent form are complete and accurate, it is recommended that you access legal counsel through your liability insurance provider.

Q9: I have an office to see clients in Kelowna, but I live in Vernon. I’ve been asked if I can see clients in Vernon, but as I don’t have an office there, I’m wondering if we’re allowed to meet with clients in places other than an office or the client’s home? For example, would it be possible to meet with a client in a coffee shop if the client consents to this and is aware of the impacts on privacy?

Meeting your client outside of an office setting is a possibility. A client’s home may be the most appropriate as it facilitates maintenance of privacy. However, should your client want to meet you in a public place, please be aware of the CDBC Privacy Guide, specifically the section titled ‘Conversations’ in the Guidelines for Protecting Clinical Records Outside the Practice, which states that dietitians are discouraged from “discuss[ing] a client’s personal information in public areas.”. This refers directly to conversations between healthcare practitioners about mutual clients and if your client demonstrates consent to proceed with meeting you in a public place, you should:

  • have a published privacy policy, which outlines the safeguards you have in place to protect your client’s medical record as well as the manner with which your client is able to request access to that medical record. This privacy policy should disclose if you are storing personal data on servers outside of Canada,
  • have clearly explained the risks to your client about the potential for private information to be obtained in a public setting by a member of the public, and
  • document consent obtained by the client to demonstrate the client’s understanding of risk.
Q10: I currently reside in another province and am registered with CDBC to provide virtual services to BC residents. Since I don't reside in BC, which privacy laws am I governed by? Both PIPEDA and PIPA? Or only PIPEDA?

Some provinces, such as BC, have provincial privacy acts. Per the Office of the Privacy Commissioner of Canada, these provincial privacy acts (PIPA in BC)  are “substantially similar to PIPEDA. Organizations subject to a substantially similar provincial privacy law are generally exempt from PIPEDA with respect to the collection, use or disclosure of personal information that occurs within that province.” When practicing dietetics (registered with CDBC) with clients in BC, PIPA in BC is governing your practice.

PIPEDA applies to “federal work, undertaking, or business” as defined in Section 1 of that act. This would include organizations such as Corrections Canada, Armed Forces, Health Canada etc.

If you have more specific questions regarding privacy legislation in BC, you are encouraged have a look at the CDBC Privacy Guide section Legislative Framework for Privacy in the BC Health Care system or to contact the Office of the Information and Privacy Commissioner (OIPC) for BC. They can help you best navigate privacy law.

Q11: How long do I have to keep my client records for in private practice?

Private Practice is governed by PIPA, the Personal Information Protection Act. Client records in private practice must be kept for a minimum of one year. You can refer to the CDBC Standards for Record Keeping and the CDBC Privacy Guide, specifically Step 5 – Limit Use, Disclosure, Storage, and Retention  for more details.

Q12: I am being asked to transfer the medical records from one company to another. Can I do this? Circumstances could include, but are not limited to, (1) a physical move to another location with another company, or (2) a company replacing another company, resulting in a name change and/or a management change.

First, it is important to consider who the custodian of the health records is, regardless of the format of the records (electronic or paper). Generally, the company/clinic owner is the custodian of the records. Circumstances might include:

  • You own the clinic and are thereby the custodian of the medical records. In this case, it is your responsibility to secure the medical records.
  • You are running your private practice under the umbrella of someone else, who owns the clinic. If you do not own your clients’ health records, you are not responsible for their secure transfer. In this situation, your clients may decide to consult with you at the new company. They may request the current company/clinic owner for a copy of their health record and share this with you at the new company. If the record is electronic, keep in mind that there is potential difficulty in separating RD information and charting from a multidisciplinary health record.

If the current company is private, it has an obligation, as you do, to follow the Personal Information Protection Act (PIPA), which the Government of BC has made more accessible here, by applying it in simpler language to private business owners. You may also review the CDBC Privacy Guide.

PIPA is the responsibility of the Office of the Information and Privacy Commissioner (OIPC), who is an independent officer of the BC Legislature. In keeping with these Acts, the CDBC has outlined in the CDBC Standards for Record Keeping, your obligation for the secure storage (for 1 year) and destruction of your client files after this time.

The CDBC does not otherwise have jurisdiction over privacy obligations or transfer of medical information from one company to another. Therefore, if you have more specific questions regarding privacy concerns related to transferring client files, you are encouraged to connect with the OIPC via their website or by email at info@oipc.bc.ca to help you determine your legal rights and obligations.

Second is the consideration of consent provision. Above, the act of having the clients request to move their health records to you, is consent to receive their health records. Expressing interest in continuing to receive dietetic care from you, is also considered providing consent. Consent continues until it is removed, or when there is a change in the course of treatment (less than 12-month duration).

Therefore, once you have obtained consent to see clients, you do not need to get it every time, unless consent is withdrawn. A change in the nutrition care plan requires obtaining renewed consent. A care plan for your client is not considered to be changed when the location of your company/clinic changes.

CMPA – Who has custody of medical records, and who can they be shared with? (cmpa-acpm.ca) was used to develop the answer to this question.

Recent Posts