Skip navigation
Login

Good Practice: Safeguarding your Client's Personal Information

Key Takeaways

  1. Physiotherapists have a role in the protection of their client’s privacy. In order to protect a client’s privacy, the use of administrative, physical, and technical safeguards are required.
  2. Physiotherapists need to ensure that safeguards are in place at the practice site.
  3. Physiotherapists who work for non-physiotherapists must have formal agreements in place that ensure that record maintenance and retention will be completed in accordance with regulatory requirements and privacy legislation.
93% of privacy breaches are a result of human error.1

Although privacy safeguards are admittedly not the most exciting topic, they are required to secure your client’s health and financial information. Security is a multi-layered approach where each layer adds a barrier to access. It is important for physiotherapists to understand and learn how to implement these safeguards to ensure that your client’s information remains secure.

Consistently educating yourself and those in your practice about privacy risks and the use of measures to address those risks should be a priority. This article will take you through examples of safeguards you can implement and resources that provide more information specific to your area of practice.

The information contained in this article is not an exhaustive list. The intent of this article is not to turn physiotherapists into privacy or IT professionals, but rather to raise general understanding of privacy safeguards so that physiotherapists know what to look for in the systems they use or ask their IT service providers about.

You are responsible for ensuring the privacy of your client’s health information.

Administrative Safeguards

Administrative safeguards are organizational policies and procedures that act to protect the privacy of the clients. They can come in many forms. How they are used is specific to the practice site.

  • Privacy Impact Assessments help you and your organization identify and address potential privacy risks related to your practice. Although not required for physiotherapists at this time, Privacy Impact Assessments are mandatory for Custodians listed under the Health Information Act and are currently recommended for other organizations that collect and use private information.
  • All practice sites should designate a Privacy Officer. If you are a business owner and have not designated a Privacy Officer, these responsibilities would fall onto you by default. Privacy officers are responsible for ensuring compliance with privacy legislation, monitoring privacy risks, fielding questions from the public, and for creating and implementing the policies and procedures at the practice site to protect the client’s privacy.
  • Performing regular risk assessments to identify vulnerabilities can be part of a Privacy Impact Assessment and should also occur on a regular basis. Regular audits and reviews are part of a privacy officer’s duties to review policies, reported privacy near misses, talk to staff, etc. to identify any potential issues they can then address.
  • Education of employees on security awareness and safeguarding is a must as most privacy breaches are a result of human error. It is also a requirement to qualify for most cyber security insurance policies. There are many free online courses offered through provincial and national institutions to educate you and your employees. Please find the resource list below which will list several options out.
  • Confidentiality agreements protect the client’s personal information that is stored at the practice site by stating the actions the physiotherapist is required to take to keep that information confidential and secure. Confidentiality agreements may be included in employment contracts. Confidentiality agreements may also be required from third parties that have access to the practice site or the data collected at the practice site.
  • Policies preventing sharing of passwords and login credentials between co-workers and creating audit logs are standard policies that help to limit access to client information and identify privacy breaches if they occur.
  • Role-based access also limits access to client information to those who require access to specific categories of client information. Examples might be reception or administrative staff having access to booking and billing information, but no access to a client’s health information.
  • Access controls and user management processes are similar to role-based access. There would be policies in place that would restrict access to certain areas of information storage as well as administrative policies that would ensure terminated employees can no longer access any part of the practice site’s data.
  • Ensuring computers are closed or screen locked when physiotherapists are not present prevents prying eyes from accessing a client’s personal health information.
  • Mobile/portable device policies are standard in most practice settings to limit any risk to having information stored or accessed on personal devices. As personal devices are used more and more in practice settings it is important to recognize that there is an increased risk of privacy breach when information is stored or accessed via a personal device. You should have policies which control how your employees or contractors access and use their devices in the practice setting. For more information: https://oipc.ab.ca/resource/bring-your-own-device-byod-programs/
  • Monitoring and managing third party vendors or others that may access your site or hardware. You may have external IT companies, contractors, students, and cleaners that regularly are on site. Having contracts in place with confidentiality agreements that legally bind the third party creates an added level of security around client information.

Physical Safeguards

Physical safeguards are physical and structural items put in place to prevent access to or removal of electronic devices or paper records.

  • Locked offices, cabinets for computers, device locks, and secure storage of hard drives create a physical barrier that someone would have to damage to access them. You can control access to equipment and private areas by using standard locks. Or you can use other high-tech mechanisms like individualized passcodes or FOBs to track who is accessing specific areas of the practice site.
  • Secure transport of records is standard practice. Letters, documents, etc. that contain private information should be transported securely. Locked briefcase or file box, locked in the trunk of a vehicle are measures that you can take to limit the risk of privacy breach while files are in transit, especially when paired with policies that prohibit staff from leaving records unattended in a vehicle, for example while stopping at a store while in transit.

Technical Safeguards

Technical safeguards are policies and technologies put in place to restrict access to sensitive information. Most of these would be put in place by software companies or IT companies to ensure it was done properly. The College of Physiotherapists of Alberta strongly encourages all registrants to follow IT industry best practices and to work with IT organizations to understand how to best secure their systems and private information.

  • Password protection is the simplest form of a technical safeguard. Passwords should be complex in nature and not written down in a place someone else can access. Most registrants/employees will have several passwords in use on a range of devices and systems. An important consideration, particularly with increasing use of cloud-based services from multiple vendors, is the risk posed by password reuse, which could result in multiple systems being compromised from a single password breach. The difficulty remembering multiple passwords is often cited as a barrier to using unique passwords for different systems. Password managers can help to keep track of all those passwords and avoid password reuse. For more information about password best practices (including password length and complexity and use of passphrases) look to organizations like the National Institute of Standards and Technology and the Canadian Centre for Cyber Security.
  • Unique logins (as opposed to shared or generic logins) allow tracking of individual users when performing an audit or investigating a privacy breach. Password and unique login policies are administrative safeguards that work with the passwords and logins themselves to establish requirements for the level of complexity of passwords and the minimum frequency of password updates.
  • Two-factor or multiple factor authentication takes passwords to the next level and should be implemented when available in a system.2 Passwords can be hacked but having multi-factor authentication in use creates an additional barrier that increases your overall cyber security.
  • Most software/hardware programs come with encryption already installed to protect from outside interference. While passwords make it difficult for hackers to access the information stored in the software/hardware, encryption scrambles the information so that even if the information is accessed, it is unusable to anyone who does not have the encryption “key.” Although encryption and other safeguards may already be installed on devices and programs, it is important to confirm that the settings are enabled or actively in use. Not all systems are enabled by default.
  • Secure offsite back up of data protects your practice from losing valuable information if there is an issue at the practice site such as a fire or flood that damages the data housed there. Also, if you are targeted by a ransomware attack, you still have access to your patient and practice data.
  • Network security involves the use of firewalls, anti-malware, email/content filtering to protect against cyber-attack. Network security should be reviewed with an IT organization and with the companies you use to house data and information to confirm alignment with IT best practices.

A Physiotherapist’s Responsibility

Physiotherapists who work for non-physiotherapists must have formal agreements in place that ensure that record maintenance and retention will be completed in accordance with regulatory requirements and privacy legislation.

Many physiotherapists work in non-traditional settings and for multidisciplinary practices that are not owned and operated by a physiotherapist. Some practice settings may not be owned by a regulated health professional but by an investor, entrepreneur, or unregulated health-care provider. There are concerns that in these settings the owner/operator may not fully understand a physiotherapist’s professional responsibilities.

When physiotherapists work in these environments, they are responsible for ensuring that contracts and daily operations meet the privacy requirements of legislation and the College of Physiotherapists of Alberta. A physiotherapist must make sure these types of agreements are in place before they start and these agreements must be in a legally binding contract.

If the physiotherapist notices that privacy measures and record retention are lacking, it is the physiotherapist’s job to raise the issue and address it. In these practice settings the Most Responsible Physiotherapist is responsible for ensuring the practice setting is established in a way the enables the physiotherapist to meet their professional responsibilities as part of their agreement with both the employer and the College. However, responsibility does fall on each individual physiotherapist to ensure that their client records are secure and that they will be managed appropriately after the physiotherapist departs the practice site.

Resources

Sources

  1. 1. https://www.priv.gc.ca/en/for-federal-institutions/privacy-act-bulletins/pab_20221005/ Referenced on February 10, 2025.
  2. https://www.cyber.gc.ca/en/guidance/best-practices-passphrases-and-passwords-itsap30032

Page updated: 05/03/2025