What is CASL?
Canada’s Anti‐Spam Legislation (CASL) is intended to protect Canadians from spam, malware, phishing, spyware and other electronic threats. This legislation received royal assent on December 15, 2010 and came into force on July 1, 2014.
CASL applies to the following types of actions:
- The sending of commercial electronic messages,
- The creation and use of lists of electronic addresses,
- Installation of computer programs or software, and
- Alteration of transmission data (e.g. a link in an email which appears to send you to one website but which actually redirects you to another website).
The CASL Glossary defines a CEM, in part, as “any electronic message that encourages participation in a commercial activity, regardless of whether there is an expectation of profit”.
Full details can be found on the OCA website at https://chiropractic.on.ca/canada‐s‐anti‐spam‐ legislation‐casl.
What does this mean for PMP users?
It means that you need to consider the types of electronic messages that you are sending to your patients. Business communication is okay. Commercial communication is not. Consent is implied for business communication, but it is not always implied for commercial communication.
You can send items that are attached to patient appointments such as:
- email reminders
- emailed statements
- appointment list and calendars Without express consent you cannot send:
- birthday messages
In order to implement CASL it is helpful to know that our patients fall into one of three categories:
1. Implied Consent
The legislation defines that you have an existing business relationship with your patients. Implied consent does expire. It is generally valid for two years as long as it is not withdrawn before the expiration of the two‐year period (i.e. as long as the person to whom the message is sent does not notify the sender that they do not consent to receiving such messages).
Please see the OCA’s website for more information on implied consent: https://chiropractic.on.ca/canada‐s‐anti‐spam‐legislation‐casl#implied.
2. Express Consent
You have express consent if a recipient has actively and specifically given you consent to send commercial electronic messages (CEMs) to a specific electronic address. Unlike implied consent, express consent does not expire. It is only withdrawn if the recipient unsubscribes/notifies you that the consent is withdrawn. Please refer to the next section “Obtaining Express Consent” for details about requirements for express consent to be valid.
3. Opt Out (Unsubscribed)
Patients that have expressed a desire for no CEM type communication outside of appointment information.
How can offices track express consent, implied consent, and opt out in PMP?
PMP offers a few different options that can assist with determining your patient’s CASL category:
- Flags – create flags to specify types of consent and use Set Patient Values to add the flags to groups of patients
- Do Not Contact – use this only for appointment information
Using these options you can track and send correct communication to your patients.
Setting up the Consent Flags
First we need to create flags for consent. Go to the Setup menu, Flags.
Create flags for OPT OUT, Implied Consent, and
Express Consent. Click Accept.
Assign the Implied Consent Flag to Applicable Patients
Go to the Patient menu, Set Patient Value Using Query. On the Flags tab select Add the Selected Flags and select the Implied Consent flag that you created.
Click Select Patients.
Click Fill the List using Patient Query. In the Patient Query check mark Last Visit Date >= and change the date to July 1st, 2012. Click Accept.
The patients in the list on the right meet the selected criteria. All of these patients will receive the Implied Consent flag because they have attended your office in the last two years.
Obtaining Express Consent
Express consent must be separately sought. This means that it cannot be bundled together with other terms and conditions; it must be asked for separately. Updating your patient intake forms to include an express consent option is the easiest way to collect this information for new patients.
The OCA recommends that PMP users seek express consent from all current and new patients. Starting on July 1, 2014, a request for express consent is considered to be a CEM and therefore must also comply with the requirements set out in CASL.
Consider asking current patients to update their information (i.e. offer or withdraw consent) at their next appointment.
When seeking express consent, you must clearly and simply identify:
- The specific purpose(s) for which the consent is being sought,
- A statement that the person whose consent is being sought can withdraw their consent at any time
- The name of the person(s) or organization(s) seeking consent,
- If the person or organization seeking consent carries on business under a different name, the name by which the person seeking consent carries on business,
- If the consent is being sought on behalf of another person, the name of the person on whose behalf the consent is being sought, and (where applicable) the name by which such person carries on business,
- If the consent is being sought on behalf of another person, a statement indicating which person is seeking consent and which person on whose behalf consent is sought, and
- Contact information (or a link to a website containing this information) of the person seeking consent (or, if different, the person on whose behalf consent is sought) which includes:
- A valid mailing address where you can be contacted, and
- A telephone number (providing access to an agent or a voice messaging system) and/or email address and/or web address of the person seeking
Once you have received express consent from a new or existing patient go into Patient Information, Contact. Click into the Flags field and select Express Consent.
Using Do Not Contact
The Contact tab in Patient information offers a Do NOT Contact check box. This box was added to offer the option of patient’s receiving/not receiving email remainders, phone calls, etc.
We recommend that you check mark this box ONLY when your patients do not want you call/email them regarding appointment information. Do not use this box for consent.
Sending Business Related Email
Business related email such as reminders, statements, and appointment calendars will not need to be filtered for consent. When sending these items as a group, make sure that your Do NOT Contact patients have been removed from the group.
- In Email Reminders select it under Selection Filters on the
- In Email by Patient merge select Do not Contact is NOT checkmarked.
Sending Commercial Electronic Messages
If you are sending email communication that is not related to patient appointments follow the procedure noted above and check mark Flag and select Implied Consent. Checkmark “Do not Contact is NOT checkmarked”.
Patients who receive this email communication will have implied consent because they have visited your office in the last two years and they have not expressly informed you to not contact them.
PMP version 9000 will give you an option to choose patients with implied OR express consent flags allowing you to select both groups of patients at the same time.
Offer an Unsubscribe Mechanism
All CEMs must include an unsubscribe mechanism allowing the recipient to provide notice that they no longer wish to receive CEMs. The unsubscribe mechanism can include an option for the patient to REPLY with the word “UNSUBSCRIBE” in the subject line.
Unsubscribe mechanisms must be “readily performed.” It should be simple, quick, free and easy for the recipient to unsubscribe. Once a recipient has exercised their right to unsubscribe, you must ensure that effect has been given to the recipient’s indication that they no longer wish to receive CEMs within 10 business days.
Once you have received an unsubscribe notification go into Patient Information, Contact for that patient and update the information accordingly.
Click into the Flags field. Remove the checkmark from Implied Consent and add a checkmark for OPT OUT.