Frequently Asked Questions

What is Brightsquid?

Brightsquid Secure Communications Corp. delivers modern communications services and privacy compliance support that help healthcare teams operate more quickly and easily.

We offer our privacy expertise to assist clinics and organizations with on-going privacy compliance in the form of Privacy Impact Assessments (PIA), compliance and breach prevention training, breach assessment and reporting, and more.

What is Brightsquid Secure-Mail?

Healthcare data delivery done right.

Closely modeled after email, Brightsquid Secure-Mail is a closed, private messaging and large file transfer service that connects all members of any healthcare team including patients, to simplify communication and increase access to information. 

  • Communicate with anyone
  • 500MB file attachments
  • Shared clinic inbox
  • Automatic breach prevention
  • Read receipts
  • Message recall
  • Spam free
  • Ransomware blocking

Clinics that use Secure-Mail instead fax, mail, and phone reduce overhead costs, save staff hours of time each week, and create a calmer environment for effective delivery of care.

Who uses Brightsquid?
Brightsquid is the trusted leader in digital healthcare data delivery for all healthcare providers including medical offices, dentists, allied health, specialists, labs, and patients.
Where did the name Brightsquid come from?

Brightsquid was born from the need to share medical images with colleagues around the world in a way that was fast and compliant with privacy laws while protecting patient information to the letter of the law.One of our founders, a radiologist, could only compliantly share images with experts for consultation by mailing a burned disk or memory stick. Delivery often took too long or the data showed up damaged.
When he drew a diagram of his idea for a better way, he saw that it resembled either a spider or a tentacled sea creature.
Around that time he became aware of a species of bioluminescent squid that live in the dark depths of the ocean. He realized that, just as x-rays shine light to areas he cannot easily see, so does Secure-Mail bring light to healthcare decision making with greater information accessibility. And so Brightsquid was named as homage to those cute little creatures that bring light where there is darkness.

Does Brightsquid comply with privacy regulations?
Yes. We have many safeguards in place beyond encryption to achieve compliance. Brightsquid is audited by third parties to ensure continued compliance with HIPAA, PIPEDA, the HIA, and other important regional regulations.
Can I use Brightsquid when I am away from the office?
Yes. Brightsquid is a web-based service accessible anywhere through modern web browsers including on your mobile phone or tablet. There is no application to download or update, so you’re always using the most current version.
Can I try Brightsquid Secure-Mail prior to purchasing a subscription?

Yes. Every new signup receives a 2 month free trial. That way, there’s no charge while you work with us to find the ways Secure-Mail works best in your environment and get your templates and contacts set up.

A credit card is required as part of your necessary validation and security protocols. No charges are made until your trial is over.

Anyone invited to collaborate with a current subscriber gets free access to our service as well. Patients can always use Secure-Mail free of charge.

Is training available for Secure-Mail?

Training is part of every new subscription. There is a training section in all accounts that includes Secure-Mail walkthroughs, tips and tricks, as well as how to’s for specific job functions.
Users quickly discover that our secure email service is very user friendly as it is closely modeled after some of the most widely used email services in the world.

Our support center and knowledge base provide detailed guides on how Brightsquid service and features are used. And the Brightsquid Support Team is available for phone, email, and chat support every business day.

What is a Privacy Impact Assessment (PIA)?

A PIA is an in depth appraisal of how an organization, office, or clinic proposes to collect, use, and handle or disclose patient information including a documented plan to address potential risks to patient privacy.

The result is a declaration that your clinic understands how, and has sufficient processes in place, to protect the information of your patients and serves as a blueprint for protecting your clinic against breaches.

In Alberta, Section 64 of the Health Information Act (HIA) mandates submission of a Privacy Impact Assessment for review by the Office of the Information and Privacy Commissioner (OIPC) for all 11 named custodian types.

Who needs a PIA?

Every clinic can benefit from the security of a PIA. In Alberta, Canada, every custodian of patient data (any person or organization involved in the collection, use and disclosure of health information) is required by section 64 of the Health Information Act to prepare a privacy impact assessment.

Section 2 of Alberta’s Health Information Act Regulation (“HIAR”) designates certain health professionals as custodians:

Regulated members of the Alberta College of Pharmacists;
Regulated members of the Alberta College of Optometrists;
Registered members of the Alberta Opticians Association;
Regulated members of the Alberta College and Association of Chiropractors;
Regulated members of the College of Physicians and Surgeons of the Province of Alberta;
Registered members of the Alberta Association of Midwives;
Registered members of the Alberta Podiatry Association;
Regulated members of the College of Alberta Denturists;
Regulated members of the Alberta Dental Association and College (as of March 1, 2011):
Regulated members of the College of Registered Dental Hygienists of Alberta (as of March 1, 2011); and
Regulated members of the College and Association of Registered Nurses of Alberta (as of September 1, 2011).

Do I need to have all required privacy policies and procedures in place before submitting my PIA?
No. A PIA is a declaration that your clinic understands its responsibilities and will implement the enclosed policies and procedures. However, simply having an approved PIA does not make your clinic compliant. You will need to enact the policies and procedures outlined within your PIA.
Can I write a PIA myself?

Yes. Anyone can complete a PIA given enough time to dedicate toward learning the requirements, understanding the document, and writing the clinic’s declaration of patient privacy control in alignment with the expectations of the OIPC or regional regulatory body.

For a detailed look at which aspects of clinic operations must be considered, download the Privacy Compliance Checklist.

How long does it take to complete a PIA?

Depending on the clinic, a PIA can be 350 pages or more. The document must cover all aspects of how patient information is handled including staff training and access, physical and digital chart storage and destruction, software used, and more.

For a detailed look at which aspects of clinic operations must be considered, download the Privacy Compliance Checklist.

Time to completion can vary depending on how much time can be dedicated to the project regularly without sacrificing other duties. Inexperienced individuals have reportedly taken hundreds of hours to complete a clinic PIA.

Often, after review, the OIPC will require changes, or even complete rewrites of PIAs submitted without the proper structure and regulatory interpretation.

What happens if a clinic doesn’t have a PIA?

The biggest risk of not having a PIAis that your clinic is more susceptible to privacy breaches. A properly structured PIA investigates all appropriate areas of risk and establishes safeguards that reasonably protect the information in your control. It is not reasonable to assume privacy compliance is “common sense”.

There are no fines for not having a PIA. However, in the event of a privacy incident investigation, the absence of a PIA indicates a lack of preparation that usually translates into non compliant operations.

A PIA is an internal document that can be used to defend the actions of a clinic in the event of a breach if that clinic was operating within the approved processes and procedures established within the PIA.

Without the ability to prove that you’ve taken steps to assess and plan for privacy compliance according to legal requirements, your clinic is at significant risk of penalty when a breach does happen.

If you’re able to demonstrate you were following processes explained in your accepted PIA but a breach happened anyway, you’ll be in a much better position.

In Alberta, fines for non-compliance can range from $2,000 to $500,000. Elsewhere, you are at greater risk of suffering a privacy breach. Recovering from a privacy breach costs on average $408/patient record involved.

Who is checking to make sure clinics are in compliance?

The OIPC has not been conducting audits of individual clinics. Investigations are launched upon receipt of a complaint. If a patient, collaborating clinic, or employee feels compelled to report a clinic for mishandling of patient information, the OIPC will examine that clinic’s policies and procedures as well as the reported incident.

The Health Information Act specifically states that: “An individual who makes a request to a custodian for access to or for correction or amendment of health information may ask the Commissioner to review any decision, act or failure to act of the custodian that relates to the request.”

Many professional colleges do require a PIA for professional registration and before a new clinic is opened. Many also conduct reviews that examine PIAs for all appropriate inclusions to ensure compliance.

How much does a breach cost?

The average cost of a breach beyond fines is $408 for each patient chart lost. That cost is made up of IT support, required notifications, identity monitoring for each affected patient, and other remediation measures.
Recovery costs from privacy breaches caused by cyber attacks are the second highest in healthcare.

89% of businesses that suffered a ransomware attack in 2022 said the ransom they had to pay to get their data back (average = $100,000) was not the biggest associated cost. 1 in 3 companies infected by ransomware that don’t don’t pay the ransom still incur costs over $50,000.

Some statistics indicate that clinics publically known to have suffered a loss of patient information will see a 40-70% reduction in returning and new patients.

How do privacy breaches happen?

A breach is any unauthorized access to protected patient information and can result from loss or theft of equipment such as cell phones or computers, misdelivery of faxes, email and mail, improper disposal of charts or files, or system infiltration by hackers just to name a few.

Healthcare is the only industry in which more breaches happen from internal sources rather than external sources. However, increasingly, breaches are a result of outside hackers rather than internal error. Ransomware attacks are becoming common in healthcare and there have already been a number of cases involving Alberta based clinics falling victim to ransomware attacks that rendered patient data inaccessible until a ransom was paid.

A study by Stanford University found that human error was a factor in 88% of breaches. That includes misdelivery of faxes, putting email addresses in a To or Cc field instead of Bcc and other common errors.

94% of computer viruses are delivered by email.

33% of phishing emails are opened.

Do patients care about protecting their privacy?

Research shows that only 5% of patients do not care about the safety of their privacy. Almost 40% of Canadians are willing to travel up to 50km for care if they believe local clinics aren’t safe with their information.

90% of healthcare data breaches caused by cyber attacks resulted in a loss of business.

Some statistics indicate that clinics publically known to have suffered a loss of patient information will see a 40-70% reduction in returning and new patients.