Areas of
Doctor seeing patient virtually

Virtual health care: Managing privacy risks part two

Thursday, April 01, 2021 @ 8:34 AM | By Ira Parghi and Tanvi Medhekar

Ira Parghi  %>
Ira Parghi
Tanvi Medhekar %>
Tanvi Medhekar
In the first article in this two-part series, we identified some of the privacy and security risks associated with virtual health care and offer general guidance on how they may be managed. In the course of this discussion, we highlight some of the key recommendations contained in a guideline recently issued by the Information & Privacy Commissioner of Ontario, titled Privacy and security considerations for virtual health care visits (the IPC Virtual Care Guideline).

This article will address the issues of risk assessments, e-mail policies and patient consent.

Where encryption is not feasible, the IPC Virtual Care Guideline requires institutions to assess whether using unencrypted e-mail “is reasonable in the circumstances” after considering “all relevant factors,” including the sensitivity of the information, the purpose of the transmission and the urgency of the situation (p. 9). We encourage institutions to capture this assessment in writing and to consider all relevant factors, including the types and volumes of Personal Health Information (PHI) contained in the institution’s e-mails to patients and the scope of its e-mail safeguards (discussed below).

Of note, in 2016 the IPC issued a Fact Sheet titled Communicating Personal Health Information By Email (IPC Email Fact Sheet), which elaborates on some of the points that health information custodians that wish to use e-mails with their patients might think through. The IPC Email Fact Sheet encourages institutions using unencrypted e-mails to have a written electronic communications policy and to notify patients about the policy (p. 4).

Additionally, the IPC Email Fact Sheet requires institutions to obtain patient consent to the use of unencrypted e-mails (p. 4). When considering the consent process, we encourage institutions to first determine whether they intend to use unencrypted e-mails for administrative purposes only (such as appointment scheduling), or also for purposes relating to clinical care (such as communicating with patients about their medications, ongoing symptoms and the like). On the latter scenario, the types and volumes of PHI being communicated via e-mail, and the commensurate risks associated with using e-mail, will increase. Institutions are encouraged to approach the consent process with these considerations in mind.

The IPC Email Fact Sheet provides that the consent can take different forms: it can be a self-standing written document; it can be embedded within the form the patient completes when providing the institution with their e-mail address; or it can take the form of a verbal discussion if the individual provides their e-mail address to the institution verbally (p. 4). Another option would be for the consent to be embedded within the online registration for virtual care services. We recommend that institutions adopt a written consent process or ensure that verbal consent is documented in the patient’s record.

Regardless of the purposes for which unencrypted e-mails are to be used, we suggest that institutions consider addressing the following in their consent discussions and documentation:

  • That, with the patient’s consent, the institution may send the patient text messages, e-mail or other forms of electronic communication, and the purposes for which the institution may send such messages (i.e. appointment scheduling and confirmation, patient care, etc.);
  • The patient’s consent options, so that the patient can choose the circumstances in which they consent to receiving unencrypted e-mails (e.g. the patient might agree to receive administrative e-mails only, or e-mails pertaining to their clinical care as well) (see the IPC Email Fact Sheet p. 4);
  • That response times to electronic communications cannot be guaranteed, and that therefore patients should not communicate electronically in emergency situations or where an urgent response is required;
  • That electronic communications may be forwarded to those involved in the delivery and administration of care (e.g. staff who schedule appointments) but will not be forwarded to third parties, including family members, except with the patient’s consent or as authorized or required by law; and
  • That the privacy risks associated with virtual health care also apply to the use of electronic communications, and that there are additional risks associated with use of electronic communications (e.g. risk of being misdirected, received by unintended recipients, forwarded or circulated without the patient’s or institution’s knowledge, or accessed on portable devices — e.g. cell phones, laptops — that are more vulnerable to theft and loss).

E-mail safeguards

If the shift to virtual health care is likely to bring about an increase in unencrypted e-mail communications with patients, we recommend that institutions consider the state of their e-mail safeguards. For instance, it may be appropriate to train institution staff on avoiding or minimizing PHI when e-mailing with patients and on double checking e-mail addresses prior to sending e-mails out. The IPC Virtual Care Guideline lists additional safeguards to consider, such as (pp. 8-9):

  • notifying patients in the e-mail that the information received is confidential, and providing them with instructions to follow if an e-mail is received by mistake;
  • confirming that e-mail addresses are up to date;
  • restricting access to the e-mail system and to e-mail content on a need-to-know basis; and
  • storing PHI on servers only for as long as is necessary for the intended purpose.


At the outset of the pandemic, institutions did a great deal to roll out virtual health care rapidly in the interests of patient welfare. They are to be commended. Now that this initial transition has taken place, and virtual health care shows no sign of slowing down, it may be an opportune time for institutions to consider some of its potential privacy and security risks and how best to manage and mitigate them. These articles are intended to help with that important process.

This is the second of a two-part series. Read the first article: Virtual health care: Managing privacy risks part one

Ira Parghi is a lawyer at Borden Ladner Gervais LLP in the health care and cybersecurity, privacy and data protection groups. Tanvi Medhekar is an articling student at BLG’s Toronto office.

Photo credit / Chaay_Tee ISTOCKPHOTO.COM

Interested in writing for us? To learn more about how you can add your voice to
The Lawyer’s Daily, contact Analysis Editor Richard Skinulis at or call 437- 828-6772.