Audit & Compliance
As an IT provider for Medical Clinics, SupportLINK is fully BC PIPA compliant.
In addition, all of SupportLINK’s suppliers are SOC2 Type 2 and / or HIPAA compliant.
After a review of 30 randomly selected BC medical clinics under section 36 of PIPA, the Office of the Information & Privacy Commissioner for British Columbia made the below recommendations.
- Clinics should ensure adequate funding and resources for effective privacy management programs.
- Clinics without privacy officers must immediately designate one or more individuals to be responsible for ensuring the clinic complies with PIPA.
- Clinics should establish, document, and communicate clear internal reporting structures for issues related to privacy management.
- Clinics should develop and maintain an inventory of all types of personal information the clinic collects, the purposes for collection, where the information is stored, and its sensitivity.
- Clinics should develop and maintain policies and practices necessary to meet the obligations under PIPA, including developing a process to respond to privacy complaints.
- Clinics should provide mandatory training and education for all staff, physicians, contractors and others who may access personal information the clinic collects.
- Clinics should ensure that all staff, physicians, contractors, and others who access personal information review the clinic’s privacy policies and sign a confidentiality agreement.
- Clinics should establish, document, and communicate clear breach reporting and response processes.
- Clinics should ensure written contracts and information sharing agreements express expectations for privacy protection.
- Clinics should develop processes to identify and mitigate privacy and security risks for all clinic processes that involve personal information, including risk assessment prior to any new collection, use or disclosure of personal information.
- Clinics should develop an annual review plan that details how the clinic will monitor and assess the effectiveness of the clinic’s privacy management program.
- Clinics should limit their collection of personal information online and provide patients with uniqueuserIDsfor online booking.
- Clinics must notify individuals in clear terms of the purposes for which they are collecting personal information online.
- Clinics should post privacy policies online that detail the collection, use, and disclosure of personal information through the website (including device identifiers).
- Clinics should review administrative, physical, and technological safeguards and ensure they are reasonable considering the type and sensitivity of personal information the clinic collects.
- Clinics should conduct regular risk assessment, audit and compliance monitoring activities.
The complete report is available here: https://www.oipc.bc.ca/audit-and-compliance-reports/2340
SupportLINK will help BC physicians meet their BC PIPA obligations under the legislation by
- Assisting with implementing the above recommendation
- Implementing physical safeguards, such as office layout, server and backup security, and printer and fax security
- Implementing technological safeguards, such as
- passwords and authentication
- portable laptops security
- session time-outs
- regular software updates
- firewalls and virus scanners
- encryption for hard drives and mobile devices
- retention of access logs for audits of electronic user access
- internet access
- secure fax