Telehealth in Canada: The Cyber Risks to Virtual Care

By Ruth L Stewart, BA, RN, MHA, CHE | Published September 16, 2020

Canada was an early pioneer in the use of telemedicine.1 In 1977, three studies connected extremely remote northern sites with urban tertiary care hospitals using two-way audio and one-way video2. Since then, however, the use of digital technology for patient care in Canada has fallen behind other countries. According to the latest reported data from 2014, there were 411,778 telehealth clinical sessions in Canada, representing just 0.15% of the 270.3 million billable services.3


Virtual care has principally been used to eliminate distance barriers and deliver clinical services typically not available in Canada’s remote and rural communities4. COVID-19 has fast-tracked the adoption of virtual medical care across Canada as a safe means of providing clinical services while avoiding face-to-face physician-patient interactions5.  


Telehealth offers benefits for both healthcare providers and patients, and brings a variety of options for how and where healthcare can be delivered. However, the use of any technology platform comes with risk, and each healthcare provider must carefully identify the risks to their practice and their patients, mitigate these risks, and have the appropriate insurance coverage in place.


Physician Practice Guidance on Providing Virtual Care:

While no credentialing is required for the delivery of virtual care in Canada, the licensing requirements for providing virtual care across provincial/territorial boundaries vary across the country. Some physicians providing virtual care might need to be licensed in two jurisdictions – their own and the patient’s. The Canadian Medical Protective Association (CMPA) recommends that physicians be familiar with the requirements of each province and territory in which they practice and their patients reside. The issue over where the telemedicine encounter occurred may also be relevant in the event of a legal action.


With the advent of COVID-19 and resultant closure of non-essential services, the Royal College of Physicians and Surgeons of Canada (RCPSC), the College of Family Physicians of Canada (CFPC) and the Canadian Medical Association (CMA) released a ‘Virtual Care Playbook’ to help physicians introduce telemedicine into their practice. The playbook covers the following topics: fitting virtual care into your practice workflow, technology requirements, what problems can be safely assessed and treated, “webside” manner, and the virtual visit from beginning to end.6


Key messages from the playbook include:


  • Patient consent for a virtual care visit: If practical, the patient should sign a document (such as the template developed by the CMPA7) for virtual care or the physician should document the patient’s verbal consent in the patient’s health record.
  • Technology requirements: Include adequate screen space; high-definition video camera with microphone; good-quality speakers or earphones/headphones; secure USB drive; and videoconferencing software.8 Other considerations include the possibility of network instability which may result in service disruptions and poor quality transmission.9
  • Scope of practice: The playbook states that the following conditions are currently not amenable to virtual care: “any new and significant emergency symptoms such as chest pain, shortness of breath and loss of neurologic function; and ear pain, cough, abdominal/gastrointestinal symptoms, musculoskeletal injuries or conditions, most neurological symptoms and congestive heart failure.”10 A virtual assessment of these conditions may result in misdiagnosis. The playbook recommends that these conditions should be evaluated during an in-office patient assessment. 
  • “Webside” manner: The playbook suggests that the virtual visit be conducted in a setting that prevents others from overhearing the exchange with the patient, using a professional background for the visit, and eliminating distractions and interruptions.
  • The virtual visit from beginning to end: Other considerations include authenticating the patient’s identity; asking the patient if she or he is in a private, quiet setting; and documenting the encounter.


Privacy, Security and Cyber Risk:

Healthcare providers delivering virtual care must ensure their practices and clinic policies and procedures are compliant with the provinces’/territories’ regulations for ensuring the privacy and security of personal health information provided during virtual encounters. Any application selected for texting, voice and video calling should be specifically designed for healthcare to meet its security and privacy requirements. Typical security controls are data encryption and user authentication and access control mechanisms. Both practitioners and patients need to be educated about security best practices when they connect from home.


Physicians use various applications, devices and software programs to connect with patients. According to HIPAA’s telemedicine Privacy Rule guidelines, insecure channels of communication, including email, SMS and Skype are not acceptable for communicating electronically protected health information at distance.11 Absent a Canadian framework for the delivery of virtual care and other telehealth services, the Virtual Care Task force (created by the CMA, CFPC and RCPSC) states the following: “A virtual care ecosystem should be supported by a robust privacy policy suite designed to protect the privacy and security of all patient health information in a manner that delimits access to a person’s information on a need-to-know basis to provide quality care and service based on the will of the information owner”; and recommends a national framework to regulate the safety of virtual care technology and systems.12


After the COVID-19 outbreak, physicians were limited to providing in-person care to essential services. Physicians moved to connecting with patients virtually using a variety of applications. British Columbia, Alberta and Ontario opted to pay for virtual walk-in clinic visits using the application Babylon by Telus Health. Babylon is a free downloadable app marketed by Telus Health that lets residents of the three provinces meet with physicians in one-on-one video consultations through their smartphones. On April 21, 2020, Alberta’s Information and Privacy Commissioner launched two investigations into Babylon by Telus Health after concerns were identified in separate privacy impact assessments (PIAs) that a Calgary-based physician and Babylon Health Canada Limited had submitted on the app.13


As technology grows more sophisticated, so does our coverage:

CNA provides Technology Errors & Omissions and Cyber coverages with a flexible structure and terms.

CNA does not extend medical malpractice insurance to physicians for medical services as all licensed Canadian physicians are members of the CMPA which provides medico-legal assistance to physicians including legal defence.


1 Canadian Medical Association. (2019). Virtual Care in Canada: Discussion Paper. Retrieved at:

2 House, A., & Roberts, J. (1977). Telemedicine in Canada. Retrieved at:

3 COACH: Canadian Institute for Health Information. (2015). Canadian Telehealth Report. Retrieved at:

4 Ibid.

5 Hardcastle, Lorian & Ubaka Ogbogu. (2020). Virtual care: Enhancing access or harming care? Retrieved at

6 Canadian Medical Association (CMA), College of Family Physicians of Canada (CFPC), and Royal College of Physicians and Surgeons of Canada (RCPSC). (March 2020). Virtual Care Playbook. Retrieved at:

7 CMPA. (2020). CMPA Consent to Use Electronic Communications. Retrieved at:

8 Op. cit. Canadian Medical Association (CMA), College of Family Physicians of Canada (CFPC), and Royal College of Physicians and Surgeons of Canada (RCPSC). (March 2020). Virtual Care Playbook. Retrieved at:

9 American Society for Health Care Risk Management (ASHRM). (2018). Telemedicine. Retrieved at:

10 Op. cit. Canadian Medical Association (CMA), College of Family Physicians of Canada (CFPC), and Royal College of Physicians and Surgeons of Canada (RCPSC).

11 PIPAA JOURNAL. HIPAA Guidelines on Telemedicine. Retrieved at

12 Ibid. Canadian Medical Association (CMA), College of Family Physicians of Canada (CFPC), and Royal College of Physicians and Surgeons of Canada (RCPSC).

13 Office of the information and Privacy Commissioner. (April 21, 2020). Commissioner Investigating Babylon by Telus Health App. Retrieved at


In Canada, products and/or services described are provided by Continental Casualty Company, a CNA property/casualty insurance company. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.

Ruth L Stewart, BA, RN, MHA, CHE
Senior Risk Control Consultant, Healthcare

Ruth Stewart is the Senior Risk Control Consultant, Healthcare for CNA Canada. Ruth brings to her role a background in clinical nursing which includes experience in surgical, intensive care and trauma nursing as well as management of risk in the not-for-profit sector. She left the healthcare sector to work with an international broker using her clinical and operational knowledge to assist acute care and long term care insureds better manage their risks. Ruth works directly with insureds to manage operational risk, and develops publications, tools and other resources to help insureds manage risk. Ruth collaborates with a team of seasoned Healthcare Risk Control/Risk and Governance professionals in the US and UK to provide a comprehensive range of risk services to CNA’s insureds.

Ruth received her nursing training from George Brown College, and her Master in Health Administration from the University of Ottawa. She is a member of the College of Nurses of Ontario (CNO), and a certified member (CHE) of the Canadian College of Health Leaders (CCHL).