Privacy and secure electronic communication

What is personal health information?

Personal health information (PHI) is any identifying information about an individual in oral or recorded form, including:

• Information about their physical or mental health
• Information relating to providing health care to an individual, including the identification of an individual as a provider of health care to the individual
• Family health history
• Information relating to payments or eligibility for health care
• Health card numbers

What is PHIPA?

The Personal Health Information Protection Act (PHIPA) is Ontario’s law that governs how personal health information can be collected, used and disclosed within the health-care sector.

It spells out the requirements for organizations and individuals that work with PHI, including physicians and their staff. Many physicians are health information custodians under this law. PHIPA articulates additional responsibilities for the role of health information custodian.

The Information and Privacy Commissioner of Ontario (IPC) is responsible for oversight of Ontario’s privacy and access laws, including PHIPA.

You are encouraged to be aware of your obligations under PHIPA and ensure compliance.

Take the OMD Privacy and Security training course to learn about compliance with PHIPA.

Your obligations related to communicating PHI

Physicians are required to take reasonable steps to protect PHI in accordance with PHIPA, including protection against theft, loss and unauthorized access for any collection, use and/or disclosure. This includes when you are sharing it with others within the circle of care or with patients and caregivers.

The College of Physicians and Surgeons of Ontario’s Protecting Personal Health Information policy details the legal and professional expectations of physicians regarding PHI. Additionally, electronic communication with patients and/or members of their circle of care is considered virtual care and the expectations outlined in the CPSO’s Virtual Care policy also apply.

Electronic communication includes email, messages sent through EMR platforms, online forums, patient portals, social media, instant messaging and texting, and telemedicine (including audio and videoconferencing). If you are sending PHI electronically, it is your responsibility to ensure the communication is secure.

Failure to follow professional, statutory and regulatory requirements around privacy can result in CPSO and IPC penalties, which can include financial penalties from the IPC. Read on for additional information on financial penalties from the IPC.

When communicating electronically with other providers

The IPC and CPSO state that you must encrypt emails and electronic messages when sending PHI to other health-care providers, unless there is an emergency or other circumstance that requires them to be unencrypted.

When communicating electronically with patients

The IPC and CPSO state that you must encrypt emails and electronic messages when sending PHI to patients, where possible. This requirement can only be overridden if it is in the patient’s best interest.

If encryption is not possible, you must consider whether it is reasonable to communicate with them electronically given:

• The sensitivity of the PHI
• The volume of information and frequency of emails and electronic messages
• The purpose of the transmission
• Patient expectations
• The availability (or lack thereof) of alternative methods of communication
• Any emergency or other urgent communication

How to communicate electronically with patients

The safest way to communicate with patients is through a secure messaging platform. These platforms represent the lowest risk to physicians in terms of susceptibility to privacy beaches and associated financial penalties.

OMA Legal recommends not using email with patients if at all possible. Using email leaves the physician vulnerable to privacy and security issues, as it is only truly secure if both the physician and patient email are encrypted. It can be difficult to know whether the recipient’s email is secure.

As the responsibility rests on the sender to ensure the electronic communication is secure, it should be presumed the recipient’s personal email is not.

Personal email accounts may also not be private as others may have access to the account.

Failure to use an encrypted method for electronic communication when feasible may result in the physician being required to take remedial action or face administrative penalties by the IPC and/or risk a complaint to the CPSO.

Regardless of the method by which you communicate with patients, consent should be obtained. In particular, express consent of the patient (written or verbal) is always required for unsecured communications and patients need to be informed of the risks and have a reasonable alternative if they do not consent.

Secure messaging platforms

Information sent within a secure messaging platform is expected to be encrypted and will often provide enhanced security and privacy measures through technical safeguards (e.g. logins, audit trails, secure uploads and downloads). Secure messaging platforms also have additional features that may improve both the patient and physician experience (e.g. EMR integration, notification of waiting messages, better record-keeping, etc.).

Hospitals may offer a secure email or messaging platform for internal communications or secure platforms for external communications, which can be confirmed with the hospital privacy officer. 

Ontario Health maintains a list of validated secure messaging platforms. These platforms have also been vetted by OntarioMD.

Access Ontario Health’s list of secure platforms.

A new pilot project (member-only content) that allows physicians to bill for secure messaging has been negotiated by the OMA with the Ministry of Health. Participation in this pilot project requires the use of one of these validated secure messaging platforms.

If you do not have a secure messaging platform

Consider whether you need to communicate electronically

If you cannot ensure that your electronic messages with a patient are encrypted, the CPSO requires that physicians must consider whether it is reasonable to communicate with them electronically given:

• The sensitivity of the PHI
• The volume of information and frequency of emails and electronic messages
• The purpose of the transmission
• Patient expectations
• The availability (or lack thereof) of alternative methods of communication
• Any emergency or other urgent communication

As electronic communication is considered virtual care, you should consider the appropriateness of each communication as outlined in the CPSO’s Virtual Care policy.

Get consent and document it

Get consent from all patients using emails or electronic messages to communicate with you. It is particularly important to get and document express consent from patients (either verbal or written) before communicating with them via unsecured systems as this is an expectation from the CPSO. You can use the sample CMPA form and disclaimer for this purpose.

Let patients know that if they send you PHI via an unsecured email or unsecured messaging system, you cannot guarantee the privacy and security of the information.

Consider using password-protected PDFs

If you must use email, opt to send PHI in a password-protected PDF and then share the password in a separate email. This makes email a “secure” form of communication as the PDF is encrypted and can only be opened by the person with the password.

What makes a strong password? 

A strong password must be eight or more characters and include:

• Alternating upper- and lower-case letters
• Numbers
• Special characters

Try using a password generator. Any password should not be reused.

Virtual visits

For virtual care visits, you must use a platform that has been verified by Ontario Health to bill for virtual care services, as stated in the Physician Services Agreement. You can access Ontario Health’s list of verified platforms if you do not have a secure platform.

Photos and videos

Ideally, photos and videos should be sent through apps integrated into OMD-certified EMRs or through one of the secure platforms listed by Ontario Health. If you request that a patient sends you pictures or videos to inform their care, you must:

• Inform them about the purpose of the photo or video recording
• Include a copy of the photo or recording in the patient’s medical record
• Permanently delete and/or destroy any backup copy of the photo or recording (including any copy stored locally or “in the cloud” that would be outside of the medical record).

Mobile devices and cloud-based services

When using your phone or other mobile device or cloud-based service to access PHI, ensure the information you access, store or backup is encrypted.

Check your device privacy settings to determine how to maximize the encryption settings because the default settings may not be the most secure. Also, check your privacy settings for all services, including social media, mobile apps, browsers, home digital assistants (e.g. Siri, Alexa, etc.), wearables and online games.

Penalties

Effective Jan. 1, 2024, a new regulation under PHIPA allows “administrative monetary penalties” for breaching the act.

The new regulation adds monetary penalties to the higher end of a ladder of options for the IPC to address PHIPA violations.

When deciding whether a monetary penalty is appropriate and if yes, what the amount should be, the IPC will consider the following factors:

1. Extent of the breach
2. Ability to have taken steps to prevent the breach
3. Harm or potential harm
4. Steps taken to prevent harm
5. Number of people or health information custodians affected
6. Whether the Commissioner and affected individuals were notified
7. Reasonable expectation of deriving financial benefit
8. Previous breaches

Monetary penalties will typically be used for more serious contraventions of the law. Both the organization that is responsible for compliance with PHIPA (e.g., hospital or medical practice) and the individuals who work within them (e.g., physicians or staff) can be subject to monetary penalties for serious violations. The penalties may be up to $50,000 for individuals and $500,000 for organizations, or up to the amount of any financial benefit gained from the breach.

Examples of more serious contraventions of PHIPA:

• Serious snooping into patient records: accessing patient health records without authorization and for motives unrelated to participating in their care
• Contraventions for economic gain: unauthorized sale of personal health information
• Disregard for individual’s right of access: persistently denying patients access to their health records or making it unjustifiably expensive to do so

The IPC is more likely to address unintentional infractions with repercussions lower down the ladder, including education, guidance, informal resolution and corrective action recommendations. 

Learn more about administrative monetary penalties (IPC).

Learn more about your obligations to report a privacy breach when it happens.

This page does not constitute legal advice. Please review your institution’s policies on electronic communication (i.e. encryption, password management, etc.) and adhere to them wherever possible.