Chapter 5: Privacy and Confidentiality

5.1 Privacy

[YOUR CLINIC NAME] has very high standards for privacy and confidentiality and has adopted most of the guidelines recommended by the Doctors of BC.

Physicians are governed by the professional requirements in the Canadian Medical Association Code of Ethics. Code of Ethics items 31 to 37 address privacy and confidentiality.

[YOUR CLINIC NAME] is bound by the Personal Information Protection Act (PIPA).

The ten principles for protecting privacy in [YOUR CLINIC NAME] are:

  1. Be Accountable – we are responsible for personal information we collect.
  2. Identify Purpose – we need to ensure that there is a purpose to every piece of information we collect.
  3. Obtain Consent – Personal information should not be collected, used, or disclosed without the prior knowledge and consent of the patient, subject to limited exceptions.  Consent may be implied or expressly given, and may be given in writing or verbally.
  4. Limit Collection - We should collect only the minimum personal information necessary to fulfill stated purposes.
  5. Limit Use, Disclosure, and Retention – We must use and disclose personal information in accordance with the purposes given to the patient.
  6. Maintain Accuracy – Patient information must be kept accurate, up-to-date, and as complete as necessary to fulfill stated purposes.
  7. Employ Safeguards – We have safeguards in place to protect personal information against risks such as loss, theft, unauthorized access and disclosure, copying, use, or alteration.
  8. Be Open and Transparent – We inform patients about the personal information we collect and store, the purposes for which it is used, the persons to whom it is disclosed, and how an individual may access it.
  9. Provide Access – Patients are entitled to access their personal information to ensure its accuracy and completeness, and to identify to whom it was disclosed, subject to certain exceptions.  We charge an administrative fee for printing out or transferring patient records.
  10. Permit Recourse – Patients can challenge our compliance with these principles through our complaints process.

The Doctors of BC Privacy Toolkit was significantly updated in 2017, providing details on each of these principles and significant resources including, basics, guidelines, FAQs, forms, tools, and videos.

The following sections highlight policies adopted by [YOUR CLINIC NAME].


5.2 Privacy Officer 

[The Practice Manager] serves as the privacy officer at [YOUR CLINIC NAME], and is accountable to the Medical Director.

The Privacy Officer is responsible for ensuring that the practice’s privacy policy and procedures are fully implemented and working effectively.  

Key functions of the Privacy Officer include the following: 

  • Developing and implementing policies and procedures to protect personal information.  
  • Educating employees about privacy and security.
  • Ensuring that confidentiality agreements are signed.  
  • Answering patients’ questions about PIPA.  
  • Responding to inquiries, complaints, and privacy breaches.  
  • Responding to patients’ requests for access.  
  • Overseeing the office’s privacy compliance.


5.3 Privacy Policy Notice

[YOUR CLINIC NAME]’s privacy policy is publicly available and can be found on the clinic website. The privacy policy states:

See the "Tools" tab in the Privacy Toolkit for an example template.


5.4 Confidentiality Agreements

All confidentiality agreement forms are found under the "Forms" tab in the Doctors of BC Privacy Toolkit.

5.4.1 Staff

Before having access to patients’ confidential medical records, all staff must read and sign a confidentiality agreement. This agreement states that employees will not disclose medical information without written consent from the patient, and that employees will only have access to patient medical information when it is pertinent to their job. All medical records and information are opened on a need-to-know basis only.  

Employees who fail to comply with these terms will face disciplinary action, which may include termination of access, termination of employment, withdrawal of privileges, termination of contract, and/or professional sanctions.

5.4.2 Third Parties

Any contractor in the clinic such as information technology providers must read and sign a confidentiality agreement for Third Parties.


5.5 Responding to Patient Requests to Access Personal Information

Under the BC Personal Information Protection Act (PIPA), patients (or the patient’s legally authorized representative) are entitled to access their personal information under our control, to ensure its accuracy and completeness, to understand how their information has been used, and to identify the names and the organizations to which their personal information was disclosed. Patients will be given access to their records within one week of their request.

[YOUR CLINIC NAME] charges administrative fees for patients to transfer records in the following circumstances:

When to “No Charge”:

  • Patient requesting access in the clinic to check accuracy of records
  • Patient requesting a print out of 10 pages or less

When to Charge fees recommended by the Doctors of BC Uninsured Fee Schedule:

  • Patient requesting a transfer of records  
  • Legal representative requesting charts for a medical-legal claim

Patients must sign a General Express Consent Form in order to release personal information.

Further information about responding to patient requests to access personal information.


5.6 Managing Privacy Complaints

The Privacy Officer is responsible for managing privacy complaints.

The process is:

  1. Patient files a complaint preferably in writing.
  2. Privacy Officer records the complaint in the Privacy Complaint Log.
  3. Privacy Officer (or delegate) reviews the complaint fairly and impartially.  If needed, gather additional information from the complainant.
  4. Privacy Officer reviews findings with Medical Director, who makes a decision in accordance with PIPA.
  5. Privacy Officer records decision in the Privacy Complaint Log
  6. Privacy Officer (or person specified in the decision) notifies patient of the decision and recourse in accordance with the decision
  7. Privacy Officer ensures decision is carried out, and staff are made aware of any process changes resulting from the complaint.


5.7 Privacy and Security for [EMR]

The Privacy Officer is responsible for: 

  • Implementing and overseeing roles-based access control as approved by the Medical Director.
  • User account management including unique user IDs and passwords.
  • Monitoring that staff log off when away from their desks.
  • Ensuring all EMR data is backed up by [enter backup protocols].


5.8 Use of Technology

5.8.1 Use of Fax

[YOUR CLINIC NAME] fax policies are [insert policies]
Please see the “Use of Fax by Physicians” document in the Doctors of BC Privacy Toolkit.

5.8.2 Use of Email  

[YOUR CLINIC NAME] email policies are [insert policies]
Please see the document “Use of Email by Physicians” in the Doctors of BC Privacy Toolkit.

5.8.3 Use of Social Media

[YOUR CLINIC NAME] email policies are [insert policies]
Please see the document “Social media and Canadian physicians: Issues and rules of engagement” published by the Canadian Medical Association for guidance.

5.8.4 Use of Photography and Video

[YOUR CLINIC NAME] photography and video policies are [insert policies]
Please see the “Photography, Videotaping and Other Imaging” document in the Doctors of BC Privacy Toolkit.


5.9 Responding to Privacy Breaches

In the event of a privacy breach immediately inform the Privacy Officer.  

A privacy breach occurs when there is unauthorized access to, collection, use, disclosure, retention, or destruction of personal health information.  

The following are some common examples of privacy breaches: 

  • Personal information is stolen or misplaced.
  • A paper chart is lost or stolen.  
  • A letter is inadvertently mailed to an incorrect address or faxed to the wrong person.
  • An electronic portable device (e.g., laptop, handheld electronic device, USB storage device) is lost or stolen where appropriate security controls such as passwords or encryption have not been implemented.
  • Inappropriate access to personal information is stored in an electronic system.
  • Personal information is not disposed of appropriately.  
  • A person who legitimately accesses records gains unintended access to information that he or she is not authorized to see.

[YOUR CLINIC NAME] follows the process recommended in the document “Responding to a Privacy Breach – Key Steps for Physicians”.


5.10 Secure Destruction of Personal Information

[YOUR CLINIC NAME] polices for the secure destruction of personal information are [insert policies]

Please see the “Secure Destruction of Personal Information” document in the Doctors of BC Privacy Toolkit.