This is not a substitute for professional legal advice, but for educational purposes only. Please consult with a licensed lawyer on how this information relates to your specific business in your geographical area. The information in this article is based mostly on the Canadian PIPEDA and the US HIPAA requirements; however, there are probably a few other laws and best practices that would apply to your situation as well. This information will get you started, but don’t stop after reading this post!
You collect health information, right?
As a healthcare practitioner, you know your client’s health information needs to be confidential. Of course you won’t share it with your family, friends and colleagues (without expressed permission from your client), nor would you leave it open on your desk all night in an unlocked office after a long day of consultations. Right?
But what else do you need to do to follow the rules? What exactly are those rules anyway?
Well, without going into a full (and dry) explanation of Canada’s PIPEDA (and other laws such as the Digital Privacy Act, PHIPA, etc.), or the American HIPAA requirements, we’ll be practical. (Of course, we highly recommend that you read through these yourself and get professional legal advice, since we can’t possibly cover everything in one article; and, obviously, we’re not your lawyer).
Hot Tip: Your legal policies will be unique based on: the type of business you run, your credentials, licenses and associations, the specific products and services you provide, what information you collect from clients and how you collect it, how you use and disclose that information, what technologies and online platforms you use, what security measures you have for your website and paper files, etc.
What to do?
Canadian PIPEDA, US HIPAA – Which one(s) apply?
If all of your practice, clients and business transactions are in one country, you definitely need to follow all of your country’s requirements. If you have international liability insurance and can then help clients outside of your home country, you should follow both PIPEDA and HIPAA (and all other applicable laws too.)
The great news is that both governments have websites designed to help businesses like yours understand and comply with the laws, without needing to learn how to interpret the language known as “leagalese”!
PIPEDA in a nutshell
The Canadian Personal Information Protection and Electronic Documents Act states that:
Organizations covered by the Act must obtain an individual’s consent when they collect, use or disclose the individual’s personal information. The individual has a right to access personal information held by an organization and to challenge its accuracy, if need be. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, consent must be obtained again. Individuals should also be assured that their information will be protected by appropriate safeguards.
USA’s Health Insurance Portability and Accountability Act in a nutshell
The HIPAA Rules provide federal protections for patient health information held by Covered Entities (CEs) and Business Associates (BAs) and give patients an array of rights with respect to that information. This suite of regulations includes the Privacy Rule, which protects the privacy of individually identifiable health information; the Security Rule, which sets national standards for the security of electronic Protected Health Information (ePHI); and the Breach Notification Rule, which requires CEs and BAs to provide notification following a breach of unsecured Protected Health Information (PHI).
Hot Tip: The bottom line of both of these laws is that they require you to protect people’s information.
NOTE: This post focuses on PIPEDA and includes some information on HIPAA check out this site if you need a bit more HIPAA in your life.
First PIPEDA Stop: Privacy Toolkit for Businesses
There is a website created specifically for businesses called (you guessed it!) the “Privacy Toolkit for Businesses.” Before you spend time going through it, let’s learn a teeny bit more…
PIPEDA regulations contain 10 principles:
1. Be accountable (your business – your responsibility.)
2. Identify the purpose (tell the person what you will do with their information, and don’t do anything else with it.)
3. Obtain informed consent (your client needs to actually give consent for your uses/disclosures of their health information – Hot Tip: List these on your intake form before your clients sign it.)
4. Limit collection (only collect information you actually need to serve your client – Hot Tip: Eliminate any unnecessary questions.)
5. Limit use, disclosure and retention (don’t do anything your client didn’t agree to, don’t let anyone your client didn’t allow to see their information, and don’t keep the information longer than you need to.)
6. Be accurate (’nuff said!)
7. Use appropriate safeguards (health information is “sensitive” and therefore requires a higher level of security against loss, theft, unauthorized access, disclosure, copying, use or modification.
Hot Tip: Use passwords, encryption, locked cabinets & offices, HIPPAA – compliant online communication, etc. – more on this below.)
9. Give individuals access (if someone wants to see their own file, show them and document that you did.)
10. Provide recourse (handle any complaints fairly and appropriately and again, document what happened.)
That is the gist of the PIPEDA requirements. But how do you apply it to your business?
Health Information = “Sensitive” Information
The information you collect may include your client’s concerns, health goals, medical history, etc. Health information that clients entrust with you as their practitioner is not commonly known about them. As you can imagine if that information (unintentionally) gets out to certain people, it can affect a person in a big bad way (think job implications, insurance coverage/claims, etc.)
That makes health information, “sensitive” information. This brings health information to a Whole. Other. Level. (brace yourself!)
Hot Tip: “Sensitive” can also include financial/payment information, etc. and needs to be handled with the same level of care as health information.
As a responsible practitioner, you can be trusted by your clients – you don’t want someone to complain to the Privacy Commissioner. But, the more likely motivator is that you absolutely want to do the right thing, as well, don’t want to spend time being investigated – You’ve got clients to help! You’ve got health to improve! You’ve got a business to run! So let’s get this whole privacy compliance thing done with already!
Now, we’ll break down your processes into two categories:
1. Consent & Use
2. Disclosure & Security
Health information – Consent & Use
“…there are hidden costs and obligations involved when you collect personal information. One of the easiest and cheapest ways you can make your business privacy-compliant is to collect only what you actually need.”
When you think about the types of information you collect, consider The Three Rs (no, not those three R’s). Is the information you collect:
Relevant to your purpose?
Really needed for your business?
Hot Tip: Reduce your liability by collecting as little information as possible. When you go through the online Privacy Plan tool, I’ll link to in a bit, it will help you identify the types of information you collect, for what purposes, and whether or not you really need the info for that purpose. It’s good to think about!
Once you’re pretty confident that you actually need the information you collect, and knowing that health information is “sensitive”, you need to get from your clients what’s called “express consent”. This means you need to tell your clients exactly what you plan to use their information for and who will ever see it. You can’t assume that they understand.
Hot Tip: Your intake form can specify why you are collecting their information (i.e. so that you can use it for assessing their health situation and goals, providing nutritional consultation, etc.); you may also use it to develop new wellness programs and/or send them regular emails or health resources specific to them. You will appropriately secure their information so that no one will access it without their express written consent. You know, that kind of stuff.
And importantly, make sure you do what you promise.
If you ever want to use client’s information for something else, you need to ask them for permission for that too.
Health information – Disclosure & Security
Security is a huge question.
Unfortunately, neither PIPEDA nor HIPAA lay out terribly specific requirements.
Sorry, please take it up with them directly….
However, what they both say, is that reasonable and appropriate safeguards must be used, and that for health information you must use the “strongest form of protection possible.”
This is where good legal advice comes in (reminder that we don’t give out legal advice!)
Here’s a link to 10 tips to reduce the likelihood of a privacy breach.
Let’s go over some of the security recommendations.
Ideally, for security of paper files, they should be stored in a locked cabinet, in a restricted area with an alarm system.
Ask yourself this, “Would your clients consider these ‘reasonable and appropriate’ for their health information?”
What about electronic forms?
You probably use email or online forms to collect/transmit (email/esurveys) and store clients’ personal health information (eforms/edocuments). Some are password protected, some are not. Are they encrypted? Don’t forget that you should have “appropriate safeguards” and “the strongest form of protection possible”. Consider things like:
Encrypted data files
Encrypted personal information that is sent or received over the Internet (by email, through web forms, etc.)
Electronic audit trails that identify who has access information
Keeping backup files in a locked cabinet
The laws also want you to pay particular attention to portable devices such as laptops, USB keys and electronic wireless devices because they can potentially store sensitive information, and may be subject to loss or theft. All of these devices should be password protected and have the strongest form of protection possible.
Hot Tip: Check out these Ten Tips for Reducing the Likelihood of a Privacy Breach.
How do you know the security of your email/esurvey/eform provider?
Think about things like:
Can you obtain “express consent?”
How do they secure the information? (Password? Encryption?)
How is it transmitted (Do you log into the site? Is it emailed?)
Who meets all of these requirements?
The absolute best way to handle all of this information is with a platform that has the maximum security. And they cost money, but you can be assured that you are using, as they say, the “strongest form of protection possible.”
If email is one way you send and receive health information from clients, then you can consider HushMail. They are out of Vancouver, are fully HIPAA compliant (encrypted) AND they don’t cost an arm and a leg.
They don’t provide any forms or invoicing options, they only do email.
Telephone/Video call solution
Sorry to say, but Skype is not HIPAA-compliant, but there is an option called Bridge that provides encrypted phone and video conferencing.
Healthcare practitioner solution
If you’re looking for a more complete healthcare practitioner solution, that has forms, waivers, booking, invoicing, etc. You may consider a service like Better Client Management, launching at the end of 2016.
Getting Rid of Information
And when that time comes when you just don’t need those paper files any more, do NOT throw it in the garbage or recycling. Here’s an example of how NOT to get rid of client information.
Hot Tip: Invest in a shredder!
Are you overwhelmed yet?
Well don’t be. This post is absolutely NOT meant to freak you out or have you worry – it’s just one step toward making your wellness practice even more awesome!
“The fact that a breach has occurred is not necessarily indicative of a contravention of the Act. While an organization may not have been able to prevent a breach, it may still have had appropriate safeguards in place.”
If you do have a privacy breach – start here: “Key steps for organizations in responding to privacy breaches.”
Of course, having your policy shows your website readers:
1. How you handle their personal information.
Hot Tip: If you ever change what information you collect, how you store it, etc., you need to update your policy to let everyone know.
2. And of course, that you’re professional, responsible, and serious about your business. It also shows anyone who may consider doing business with you (sharing a space, consulting with you about clients, etc.) can rest assured you will handle health information exactly as your policy states.
Start with a Privacy Plan
How much would you like to read this:
“Congratulations! You have finished the privacy course. Your privacy plan is ready for download and can now be put into action. You may print your privacy plan for your files or sign in at any time to retrieve it and make any necessary changes.”
If the answer is yes, then build a privacy plan your your business here.
Well, as I mentioned earlier, there is an online questionnaire that helps you build your own customized “Privacy Plan”. It’s called the (you guessed it!) “Build a Privacy Plan for Your Business Toolkit.”
You may want to grab your favourite tea and spend some time on this in the near future. I recommend 30 minutes for the questionnaire, plus another 30+ minutes to review the plan and figure out how you can implement it.
Hot Tip: Now that it’s fall, my favourite “tea” is slices lemon & inch of ginger, covered with cold water, filled to the top with boiling water. But I do love a matcha latte (please provide recipe recommendations in the comments below – I’m always looking for new ideas). Whatever awesome drink you prefer, you should really grab one and check out that tool.
If I could describe the Privacy Plan questionnaire, you basically go through all of the information you collect, how you use it, and who might see it. Then, it cross-references all of the “uses” to ask you which information you actually may NOT need to collect. Then you see your plan!
You also need to let people know that you won’t spam them, and they can unsubscribe from your newsletter any time they want to.
Online legal policy generators – Good? Bad? Ugly?
You may consider an online policy generator; but, before you purchase one, read their fine print. (After getting this far into this article, you’re either going to want to read everyone’s fine print, or want to never read anyone’s fine print…that’s what lawyers are for, right?)
First thing to note about the policy generator is what country/laws does the policy cover?
They probably also have a handy disclaimer (more on that soon!) that might say that their policies were written by a lawyer, but does not constitute legal advice. They don’t provide any warranty as to the accuracy or completeness of it, that you use it at your own risk, and that there is no attorney-client relationship.
Of course, the best way would be to consult with your licensed legal representative and have something drafted just for you that reflects exactly all the ways you collect, use and disclose information, and how you comply with the laws.
Question for you…
Next on the docket….
All of your legal policies (privacy, terms & conditions, disclaimers, etc.), along with your liability insurance are part of your overall business “risk management strategy”. They help you reduce risks in your business, just in case someone misunderstands what you say, and/or takes your advice and something happens.
Hot Tip: The “Terms & Conditions” is all about your content and how you do business (your refund policy, your physical location so any legal issues will be dealt with in your province/state, etc.) Your “disclaimer” is all about what you say and do and how that should be interpreted by website readers and clients.
In a nutshell, the “disclaimer” clarifies you and your role.
It does this by “disclaiming liability” i.e. by setting clear expectations from the beginning and preventing misunderstanding. Basically, it communicates exactly what you do and don’t do so your role and boundaries understood.
Having a medical disclaimer shows that you care about your clients, and want to help set up and maintain relationships. You don’t want anyone to be confused or misunderstand the scope of your services, or whether or not you’re overriding what their doctor says.
The more transparent, open and honest you are, the better your client relationships will be.
Specifically, the purpose of a medical disclaimer is to limit your liability so you can feel secure and empowered. It makes it abundantly clear how you help people and what you do not do. It helps you to manage expectations and create clear boundaries so that readers and clients assume their own risk.
Hot Tip: The website disclaimer should specify that you are sharing information, NOT giving medical advice!
Of course, you want to stay within your scope of practice and do nothing but help improve your client’s health; however, there may be circumstances that happen that may put your business and reputation at risk – you want to protect yourself before that ever happens.
Hot Tip: Nothing is iron-clad. Of course, if you actually are negligent, do something illegal, or don’t follow what your policy states, it won’t protect you. But you totally wouldn’t do that!
What do you need to say in your medical disclaimer?
Your medical disclaimer is very dependent upon your education and training, licensing, the industry associations you belong to, the products and services you provide, etc.
In order to have a proper medical disclaimer, you have to take into consideration your scope of practice and ethical codes of conduct.
Hot Tip: Contact schools, licensing boards and industry associations to see exactly the scope of practice you are permitted to do with your training. Also, consider other applicable laws in your and your clients’ province(s)/state(s).
You may want to include things in your medical disclaimer like:
- Information on my website is for education and entertainment purposes only
- It is general information and should not be taken as medical advice
- Consult your physician before you change your diet, supplement or exercise program
- Any changes you make are at your own risk based on your own judgment
- I am trained in a, b & c, and am not acting as an x, y or z
- I provide services a, b & c, and that should not be construed as providing x, y or z
- Any testimonials provided are examples of happy clients, and I cannot guarantee results
Where to display your medical disclaimers
Everywhere you share information!
Consider displaying it:
- On the footer of your website
- At the end of each blog post
- In your facebook groups and membership sites
- On the sales page of every single product and program you sell
- Embedded within those products and programs too
Hot Tip: Make it conspicuous – Don’t hide it with tiny font or a colour that blends in with the background. Show it off!
Finally, where can I get legal advice?
There are a number of lawyers in Canada and the US who provide services to online small businesses, and a few who even specialize in health practitioners.
Legalzoom.ca – LegalZoom.ca, in association with CorporationCentre.ca provides small business owners and entrepreneurs with a fast and efficient way to incorporate their business. Launch your dreams with LegalZoom.ca.
CANNP (Canadian Association of Natural Nutritional Practitioners) has “The Holistic Nutritionists Legal Guide that you can find here.
Two US lawyers (below) put together a legal program for entrepreneurs called “Damsel Goes Bare”
Genavieve Shingle ( join her facebook group here)
Lisa Fraley (has a facebook group too, plus she’s also a Health Coach)
US lawyer for entrepreneurs Rachel Rodgers has the Small Business Bodyguard
Karen Taggart is a lawyer for entrepreneurs (US)
Tamsen Horton helps busy moms and business owners through her US practice called Vuja De Law
Jade & Oak specializes in legal blogging (US)
I totally hope that this was a good kick in the butt to make sure your wellness business is legal. This is one step that can take your business farther, and with a bit of your time and personalized legal advice, you can do it!
About the Author
Leesa Klich (MSc, RHN) is a science nerd, health writer, and holistic nutritionist. In her previous life as a Safety Specialist in the healthcare product industry, she also held the responsibility of being the Privacy Officer for several years. Now, she loves bringing out the best in science and holistic health, researching and writing health articles for her nutrition practice, as well as for other wellness professionals. Download her free list of science-based health resources here. P.S. While Leesa has extensive experience in Regulatory Affairs, has taken several legal courses, and is pretty fluent in “legalese”, she is not a lawyer. You can check her website out here. And download her free Science-based Health Information Supplement Resources here.