An Introduction to Privacy Legislation

Are you concerned about the safety of patient information when sending out medical files for transcription?  Read the following article and learn about PIPEDA and how to keep your patients information as safe as possible.

Please note:  Most information is excerpted from the Office of the Privacy Commission of Canada’s web site.  For more information, please go to

  1. What is PIPEDA?
    PIPEDA stands for “Personal Information Protection and Electronic Documents Act”.  PIPEDA is Canada’s private sector privacy law.
  2. When did PIPEDA impact the health care sector?
    PIPEDA came into effect in three stages, beginning in January 2001.  January 1, 2002, the Act extended to personal health information for the organizations and activities covered in the first stage. Personal health information is defined as information about an individual’s mental or physical health, including information concerning health services provided and information about tests and examinations.  PIPEDA entered its third and final stage of full implementation in January 2004, and now covers all personal information of customers that is collected, used, or disclosed in the course of commercial activities by private sector organizations, except in provinces which have enacted legislation deemed to be substantially similar to the federal law.
  3. How does PIPEDA impact on how I can send patient identifable information?
    Mail is the most secure way of sending information.  Many physician offices rely on faxing information, especially between family physicians and specialists office. For more information on best practises for sending faxes, go to
  4. How secure is email?
    Email is not a secure way of sending patient identifiable information.  An excerpt from Fact Sheet:  Protecting Your Privacy on the Internet, reads, ‘Most of us have strong expectations of privacy when sending email, but the reality is that sending an email message is like sending a postcard. It is not technically difficult for a copy to be made in transmission. And once you send an email, you have lost control over it and its contents. In this world of electronic networks and instantaneous communications, your “personal” message can be forwarded to a public forum for the entire world see with the click of a mouse. Whether in the public domain or not, email messages are often permanently archived and subject to indexed search and retrieval. Perhaps one of the most serious privacy violations occurs when someone else obtains your username and password to your email account. With this information, your incoming mail can be downloaded and read by others for years, without you ever knowing.’ (for the complete “Fact Sheet:  Protecting Your Privacy on the Internet”, go to  If you choose to use email, at least password protect your documents as attachments. 

    For more information on PIPEDA and the Health Care sector, visit

  5. What are PIPEDA’s key principles
    The 10 key principles of PIPEDA are listed below. Organizations are accountable for the protection of personal health information under their control. 

    1. Organizations are accountable for the protection of personal health information under their control.
    2. The purposes for which the personal information is being collected must be identified during or prior to the collection.
    3. Information must be collected with the knowledge and consent of the individual and for a reasonable purpose.
    4. The collection of personal information is to be limited to what is necessary for the identified purposes and will be collected by fair and lawful means.
    5. Information can only be used and disclosed for the purpose for which it was collected and will be retained only as long as it is necessary to fulfil the purpose.
    6. Information must be as accurate, complete and up-to-date as possible.
    7. Information must be protected by adequate safeguards.
    8. Information about an organization’s privacy policies and practices is to be readily available.
    9. Information must be accessible for review and correction by the individual whose personal information it is, and;
    10. Organizations are to provide the means to an individual to challenge an organization’s compliance of the above principles.

    For a more complete discussion on this, go to

    * Organizations include associations, partnerships, trade unions, agencies, and institutions. It also includes health care providers in private practice.

  6. What is required to comply with the security standards set out in PIPEDA?
    Organizations should assess their current security practices.  As necessary, security provisions include: 

    • Developing and implementing a security policy to protect personal health information. The effort and resources to accomplish this exercise will vary substantially according the size and type of organization. For a sole practitioner’s office, this could simply be a short documentation of how the information is safeguarded such as:
      • physical measures (locked filing cabinets, restricting access to offices, alarm systems)
      • technological tools (passwords, encryption, firewalls, anonymizing software)
      • organizational controls (security clearances, limiting access on a “need-to-know” basis, staff training, confidentiality agreements)
    • Making employees aware of the importance of maintaining the security and confidentiality of personal information by holding regular staff training on safeguards.
    • Reviewing and updating security measures regularly.

    More information is also available from the Canadian Medical Association on Health Information Privacy Code, at

For information on 2Ascribe Inc.’s medical transcription privacy information please visit our Privacy Policy and our Notice of Privacy Practices documents.

Check our medical transcription dictation tips next month to learn about the benefits of outsourcing your medical transcription.

You might also enjoy

AI Bias

The results created by an AI model can be considered