Security of your customers' health data

As a health or physical activity professional, you get to manage a variety of health data such as medical information which is very sensitive. Therefore, data security is essential in your profession. To this end, there are laws issued by the government and regulations issued by organizations surrounding your profession (Order, Association, Federation), which you must comply to. These are fairly similar for everyone, but they will change slightly depending on your profession.

We know that health data security is a rather nebulous subject that scares many of our customers. Some of them even mentioned that they doubted using file management software.

That's why we wanted to demystify this subject in this short article!

The Personal Information Protection and Electronic Documents Act (PIPEDA)


Concretely, it is the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) that covers IT management of private information of Canadian residents.

All health and physical activity professionals are subject to PIPEDA because they collect data as part of the delivery of health services.

This law is rather broad as for the indications to be respected in the choice of a management software. Indeed, the law only mentions that reasonable measures must be put in place to protect users' data. Here are some examples:

1. The data must be hosted in Canada or another country with a similar protection policy
2. Your access to the software must be secured by a password
3. Data must be encrypted (minimum required: 256-bit AES encryption);
4. The data must be on secure servers with automatic backups;
5. Check the ownership of the data in the supplier's terms and conditions of use. It is better for you to remain the owner.

In short, before using customer tracking software or a tool in your daily activities, it is important to ensure that it complies with the PIPEDA law.
For more information on the law:

The regulations in France are essentially the same. However, it is necessary for the data to be hosted in the country and by a host approved by ASIP as a "health data hosting" provider (the complete list available here:

Other countries : The regulations may be similar to those listed, but it is important that you check for yourself what the law is in your country.

Compliance with the organization surrounding your profession (Order, Association, Federation)

It is very important that you comply with the rules of this organization. These standards apply even in the context of traditional paper-based monitoring. If you want to switch to a software, it is your responsibility to ensure that it meets these standards.

All organizations have essentially the same good file management practices. Here are some common examples:

1. You must keep the file archived for 5 to 7 years from the date of the last professional service provided;
2. You cannot change the content of a note on file without leaving a signed and dated record;
3. You must not delete data without leaving a trace and have a history;
4. You are required to record all actions taken with the client.
5. You must provide access to the data in the event that you no longer use the software

All these rules have been written to protect you in the event of a complaint, a professional error, or any other situation requiring verification of the actions taken. Several solutions, such as Hexfit, allow you to manage your customers and centralize health data without fear.

At Hexfit, your data is safe and secure and we make it our priority?


Hexfit is an interprofessional client tracking software that allows you to optimize the achievement of your client’s objectives. Our software is not only built to allow you to follow the evolution of your clients, but also to help you with tasks that are more specific to your situation.

Being a software for health professionals and partner with several professional associations including FKQ (Fédération des kinésiologues du Québec) , CKA (Canadian Kinesiology Alliance) and AQP (Association québécoise de la physiothérapie), we respect the highest standards of security, compliance and confidentiality. We care about data security!

For more information on legality, compliance and data privacy at Hexfit:

*The content of this article is for informational purposes only. It should not be considered a legal opinion. Please refer to the regulations and law applying to you for details. 

Étienne Dubois

Articles relatifs

Share This