Virtual health care: Managing privacy risks part one

Ira Parghi

Tanvi Medhekar

The ongoing shift to virtual health care has brought with it new privacy and security risks. “Virtual health care” refers to the use of video or audio technology communications to provide non-urgent, non-emergency health-care services remotely in real time. Virtual health-care services may include medical consults, counselling, coaching, psycho-education, intervention services and other direct services. And they are becoming increasingly common as the pandemic enters its second year.

In this, the first in a two-part series, we identify some of the privacy and security risks associated with virtual health care and offer general guidance on how they may be managed. In the course of this discussion, we highlight some of the key recommendations contained in a guideline recently issued by the Information and Privacy Commissioner of Ontario, titled Privacy and security considerations for virtual health care visits (the IPC Virtual Care Guideline). Although this article focuses largely on health-care institutions and providers (together, “institutions”), many of these recommendations would also apply to social service agencies and providers that have made a similar shift towards virtual service provision.

What privacy-protecting steps should institutions take when providing virtual health care?

Institutions continue to be subject to the requirements of the Personal Health Information Protection Act (Ontario) (PHIPA) when they are providing virtual health-care services, because they continue to function as health information custodians for the purposes of PHIPA. As the IPC Virtual Care Guideline observes, these obligations include requirements to contract appropriately with electronic service providers and health information network providers; to collect, use, and disclose Personal Health Information (PHI) only when and to the extent necessary; and to take reasonable steps to safeguard PHI (pp. 2-3).

The safeguarding requirement means that institutions providing virtual health care should consider whether to enact policies governing the use of the virtual health-care platform and whether their staff should be trained on privacy-protecting ways to use the platform, such as:

• using only the approved platform to provide virtual health care;
• using only institution-issued or institution-approved devices to provide virtual health care;
• verifying the identity of the patient before starting to provide virtual health care;
• providing virtual health care to patients only from appropriately private locations; and
• not recording the provision of virtual health-care services to patients.

The IPC Virtual Care Guideline also recommends additional privacy and security safeguards, including, for example (pp. 6-8):

• installing firewalls and using the latest security and anti-virus software;
• maintaining and monitoring audit logs;
• keeping technology and portable devices containing PHI in a secure location;
• ensuring employees and other agents are appropriately trained in using secure virtual health-care platforms and are aware of their ongoing obligation to avoid collecting, using and disclosing PHI except as necessary;
• adopting a robust system of access controls and ensuring authorizations on a need-to-know basis; and
• providing ongoing security training for employees and other agents and performing regular threat risk assessments.

The IPC Virtual Care Guideline urges institutions to ensure that their existing privacy and information security policies, breach management protocols and information security management frameworks address the risks that may arise in connection with providing care through a digital platform (p. 4). Additionally, it provides guidance on the selection of digital platforms and appropriate contracting with platform providers, and includes a link to the Virtual Visits Solution Standard developed by Ontario Health to facilitate the secure provision of virtual health care (p. 5).

What privacy risks should institutions communicate to virtual health-care patients through consent process?

Institutions are encouraged to inform their virtual health-care patients ahead of time of some of the potential risks, including privacy-related risks, associated with virtual health care, and to obtain their express consent to receiving virtual health care. For instance, they should consider informing patients of the following:

• that the virtual health-care services will be made available through third-party platforms, and the ways in which this limits the institution’s liability;
• that the use of virtual health care may increase the risk of patient information being unintentionally disclosed or intercepted by third parties;
• that while the institution will make reasonable efforts to protect the privacy and security of patient information, it is not possible to completely secure electronic information and therefore the security and confidentiality of the virtual health-care services cannot be guaranteed;
• the safeguards that the institution will implement to protect the privacy of the patient information collected and used when providing virtual health care;
• that patients should take steps to protect their privacy when receiving virtual health care (e.g. confirming their identity with their health-care provider as appropriate; using the virtual health-care platform only from a private location, on their own computer or device, and on a password-protected Wi-Fi network; and not recording the virtual health-care appointment); and
• that privacy laws will continue to apply, and, accordingly, that patient information may be used or disclosed as permitted or required by law (e.g. if there is a risk of harm to an individual or a child is in need of protection under the Child, Youth and Family Services Act, 2017).

The IPC Virtual Care Guideline addresses patient consent as well (p. 6).

We recommend that institutions evaluate how best to convey such consent-related information to their virtual health-care patients, in light of their business operations and their patient population. They should ensure these points are discussed in general terms with each patient during their initial virtual encounter and that the patient is given the opportunity to ask questions before the appointment proceeds. It may also be appropriate to provide the patient with this information in writing and/or direct them to such written information on the institution’s website.

What precautions should institutions take when e-mailing with virtual health-care patients?

We suggest that institutions assess the extent to which providing virtual health care will require them to communicate more frequently with patients via e-mail or other electronic means. If it will, consideration should be given to whether such electronic communications can be encrypted. The IPC Virtual Care Guideline is clear on this point, providing, “Custodians should use encryption for emails to and from patients that contain personal health information.” (p. 9.)

This is the first of a two-part series. Read the second article: Virtual health care: Managing privacy risks part two.

Ira Parghi is a lawyer at Borden Ladner Gervais LLP in the health care and cybersecurity, privacy and data protection groups. Tanvi Medhekar is an articling student at BLG’s Toronto office.

Photo credit / Chaay_Tee ISTOCKPHOTO.COM

Interested in writing for us? To learn more about how you can add your voice to The Lawyer’s Daily, contact Analysis Editor Richard Skinulis at Richard.Skinulis@lexisnexis.ca or call 437- 828-6772.