PIPEDA Compliance Guide

Overview

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to private-sector organizations collecting personal information. Additionally, provinces like Ontario (PHIPA), Alberta (HIA), and Quebec (Act Respecting the Protection of Personal Information in the Private Sector) have specific health privacy laws.

This guide explains how Dermi Atlas Professional features support compliance with these Canadian privacy frameworks.

Custody and Control

Under Canadian privacy laws, the healthcare provider is typically the "Health Information Custodian" (HIC) or "Trustee."

Dermi's Role: Dermi develops and licenses the Dermi Atlas Professional software. Because Dermi Atlas Professional is deployed on the practice's own infrastructure and stores personal health information locally, Dermi Inc. does not access personal health information as part of normal operations. The full description of Dermi's role and the data Dermi processes is set out in the Dermi Privacy Policy, the Dermi Atlas Professional EULA, and the Dermi Sub-Processors document. Practices should consult their privacy officer or legal counsel for the resulting determination under PIPEDA and applicable provincial laws.

Supporting the Fair Information Principles

Dermi Atlas Professional provides tools that align with the core principles of PIPEDA:

Principle: Consent

Feature: Consent Management

Dermi Atlas Professional includes a configurable consent workflow. In the Patient Consent for Clinical Photography preference, the system can be set to Disabled, Advisory, or Required. Required enforces documented patient authorization before clinical images can be captured; Advisory displays consent reminders during capture.

• Digital Capture: Patients can acknowledge consent directly within the app.
• External Verification: Clinicians can log that written or verbal consent was obtained externally.
• Revocation: The system tracks if a patient revokes consent.

Principle: Safeguards

Feature: Security Architecture

The system provides technical safeguards appropriate to the sensitivity of health information:

• Encryption: TLS encryption for local network traffic.
• Authentication: Strong password enforcement and optional Two-Factor Authentication (2FA).
• Isolation: Data is logically separated between user accounts.

Principle: Accountability and Openness

Feature: Audit Trails

To demonstrate accountability, the system maintains detailed logs of who accessed or modified patient data. This is critical for responding to patient inquiries or privacy commissioner investigations.

Principle: Individual Access

Feature: Export Capabilities

If a patient requests access to their medical images, Dermi Atlas Professional allows the practice to:

• Export complete Patient Reports as PDFs.
• Download high-resolution copies of original images.
• Review the audit log entries associated with a specific patient record.

Provincial Considerations

Ontario (PHIPA)

PHIPA requires custodians to take reasonable steps to ensure that personal health information is protected against theft, loss, and unauthorized use. Dermi Atlas Professional's local storage model and audit logging features support these requirements by keeping patient data off third-party clouds during normal clinical use and by tracking access.

Alberta (HIA) and Quebec

These jurisdictions have stringent requirements regarding information location and safeguards. Because Dermi Atlas Professional data resides on hardware located within the clinic, the architecture mitigates cross-border data transfer concerns often associated with US-based cloud services.

Breach Response

Canadian privacy laws typically require reporting breaches that create a "Real Risk of Significant Harm" (RROSH).

How Dermi Atlas Supports Response:

If a device is lost or a user account is compromised, the Dermi Atlas Professional audit logs help the practice assess the scope of the breach to determine if it meets the reporting threshold. The logs identify which records were viewed or downloaded during the compromised session.

Checklist for Administrators

To maximize privacy compliance when using Dermi Atlas Professional:

• Enable Comprehensive Logging: Set Audit Logging to Comprehensive in Dermi Atlas Manager to record all system interactions and ensure a complete audit trail.
• Secure the Host: Use full-disk encryption (BitLocker/FileVault) on the computer running the software.
• Manage Backups: Ensure backups are stored in a secure, encrypted location separate from the host computer.
• Configure Consent: Align the Patient Consent for Clinical Photography setting in the Atlas web app Preferences with the clinic's internal policy forms.
• Privacy Officer: Designate a user to review access logs on a monthly basis.

Disclaimer: This document provides technical guidance on software features. It is not legal advice. Practices should consult with a privacy officer or legal counsel regarding specific obligations.

Related Resources

• Security and Compliance Fundamentals for a broader overview of the platform's security posture.
• Audit Logging Configuration for configuring and reviewing activity logs.
• HIPAA Compliance Guide for United States regulatory guidance.
• Managing Patients for consent tracking and patient record management.