Active Living Physiotherapy & Fitness Club will manage all client records and confidential corporate information in a safe, secure and confidential manner consistent with current legislation regarding Freedom of Information and Privacy including, but not limited to, the Personal Health Information Protection Act 2004 (PHIPA), other orders released by the Information and Privacy Commissioner/Ontario, FSCO Service Provider Licensing Regulations, and College standards.
Personal Health Information relates to the:
· physical or mental health of the individual, including information that consists of the health history of the individual’s family.
· providing of health care to the individual, including the identification of a person as a provider of health care to the individual.
· plan of service for the individual.
· payment or eligibility for health care, or eligibility for coverage for health care, in respect of the individual.
· individual’s health number, or identification of the individual’s substitute decision maker.
Content & Accuracy of Files:
Client files will contain all records related to client assessments and treatment including but not limited to clinical notes, reports, invoices and receipts relating to goods purchased to support treatment.
As- Needed Basis:
Only as much personally identifiable client and corporate information as is necessary to fulfill clinical, reporting and management requirements shall be collected and maintained.
No personnel will share the client’s health record and related information with any party other than the client, members of the health care team or a third-party without proper authorization. While relevant information about the client may be shared with health-care team members to facilitate care, irrelevant information about the client or his/her conduct remains confidential.
Oath of Confidentiality:
All Active Living Physiotherapy & Fitness Club personnel will sign an Oath of Confidentiality upon joining the company.
Obtaining Client Information:
As needed, a signed consent form will be obtained from the client to enable Active Living Physiotherapy & Fitness Club personnel to obtain such information from other sources as may be deemed necessary to provide services to the client.
Client and Personnel Records:
Client and personnel records are the property of Active Living Physiotherapy & Fitness Club; the responsibility for the client’s chart is shared by the treating therapist and the company and Active Living Physiotherapy & Fitness Club has a right to access client records. Except in cases where the preservation of confidentiality poses a risk of serious and imminent harm to the client or to others, or where there is a legal requirement, clients have the right to determine what shall be done with information included in their records.
RELEASING CLIENT INFORMATION:
Clients are entitled to receive a copy of the assessment and/or treatment report within 10 days (as per Licensing Regulations) of Active Living Physiotherapy & Fitness Club receiving the request. A reasonable charge to recoup expenses incurred in providing this information may be applied. A documented process is in place to ensure requested information is provided in a timely manner. (Refer to Chapter 8, Sample 2). Third-party payers will be made aware that in order to uphold professional responsibility to their College therapists cannot refuse to provide a copy of the client record to the client being assessed or treated, unless it is deemed that release of information could cause substantial harm to the client. Such situations are deemed to be rare.
Exception: The FSCO Service Provider Licensing Regulations state that service providers are not required to give individuals information or documents that relate to an examination of the individual conducted by or on behalf of the service provider if the examination was required by an insurer under section 44 of the Statutory Accident Benefits Schedule (i.e., Insurer Examination).
To the Payer and Other Team Members:
The treating clinician is responsible for ensuring that the client understands, at the initiation of the professional relationship, that a copy of the assessment and treatment reports will be forwarded to the referral source and that information may also be shared with other health care team members.
To Third Parties:
Upon receipt of a request to release health information, a written consent from the client to release said information will be obtained. If the client is not the direct payer of the service, the request will be forwarded to the referring agency/company.
To Law Enforcement Representatives:
Client information will not be released to law enforcement representatives, without a search warrant or the written consent of the client.
In Response to a Subpoena:
Upon receipt of a subpoena or other legal directive requiring a care provider or records custodian to attend or give evidence, he or she shall not disclose health information without the authorization of the client, in advance of, or in preparation for, attendance as a witness in the proceeding.
In Response to a Claim or Legal Action:
Where a claim is made or an action is brought against a referring agency or Active Living Physiotherapy & Fitness Club by a client or former client in respect to the care given the client, the referring agency or [ ] may disclose the contents of the client’s medical record to the referring agency or [ ] liability insurer and solicitor. This will enable them to ascertain the circumstances giving rise to the claim or action and, where appropriate, to defend the referring agency or Active Living Physiotherapy & Fitness Club's position.
For Outside Research:
Access to confidential information for the purposes of research, statistical compilation or education by persons external to the company carrying out medical and epidemiological research, will be granted only with the consent of the client or if the information can be transmitted to researchers in such a form as to effectively mask the identity of the client.
Service orders and referrals are either faxed or emailed to a secure location or placed in staff mail folders. The staff person is then responsible for the safe and confidential handling of client records, as per College standards and this policy and related procedures.
When transporting client records, personnel will ensure that these records are carried with caution or transported in a locked case in the trunk of a vehicle.
Storage of hard copy client records and confidential corporate information at Active Living Physiotherapy & Fitness Club or any other Active Living Physiotherapy & Fitness Club sites and clinicians’ home offices will be consistent with College standards and the guidelines outlined below. Minimally, all hard copy client information will be filed in secure file cabinets.
Electronic records will be stored securely (see Security Protocols below).
Active Living Physiotherapy & Fitness Club will retain client information (i.e., hard copy, disks, and tapes) in accordance with the standards of practice of the Colleges and for a minimum of 10 years (Note: Licensing Regulations require 6 years only) after the last date of entry of record. Records of pediatric clients will be kept until ten years after the day on which the client reached, or would have become, 18 years of age.
Client information will be destroyed when it is no longer needed, pursuant to regulated timeframes. Hard copy records will be shredded and electronic records deleted.
Lost or Stolen Records:
Every effort will be made to reconstruct lost or stolen client and personnel records. The loss will be documented in the client or personnel file and the appropriate parties (client, referral source, staff person) will be notified.
GUIDELINES & PROCEDURES:
All systems and devices that store or transmit confidential client and corporate information must have proper security protection:
Removable media including but not limited to CDROMS, DVDROMS, USB memory drives, external hard drives, and portable media/music players, must be encrypted; it is not acceptable to rely solely on login passwords to protect confidential information on mobile devices that are easily lost or stolen.
Mobile devices including but not limited to cell phones, laptop computers, tablets and other digital devices must be encrypted.
The confidentially and integrity of electronic data and the integrity of the corporate server and network will be maintained through the use by all staff of unique user identification and passwords; individuals shall be held accountable for all activity logged against his or her user name.
User identifier: Refers to a set of characters uniquely identifying an individual for system access:
Passwords: Passwords will be six characters long and contain a mixture of at least two/three of the following groups: lower case, upper case, numbers and special characters.
For example: Passwords will be changed every  days.
Manager/delegate will determine and approve employee’s access to Active Living Physiotherapy & Fitness Club's information technology systems.
Admin/IT Support will provide the employee/contractor with an identifier and an expired password for first time access and reset passwords if compromised or forgotten once identity of the employee has been confirmed.
Individual staff person will: change password at first use, advising admin/IT support, but otherwise keeping password confidential; change password immediately if he/she believes or suspects that it is no longer confidential.
To mitigate risks to business operations and minimize security issues, personnel will:
Ensure that all electronic communication containing confidential client or corporate information is transmitted through secure, company-approved channels and/or is encrypted
Ensure all confidential documents are password accessible only by Active Living Physiotherapy & Fitness Club employees, and only in read-only format to minimize tampering.
Refrain from opening an e-mail message received from an unfamiliar source unless there is some evidence that the message may be legitimate. In this case, each such message must be thoroughly investigated before it is opened to determine the source and objective of the e-mail.
Not allow webmail or e-mail software to automatically remember passwords.
Delete unfamiliar e-mail or contact admin/IT support to investigate suspect e-mail.