Clinical Privacy Policy.

THIS POLICY DESCRIBES HOW YOUR PERSONAL HEALTH INFORMATION MAY BE COLLECTED, USED AND DISCLOSED, HOW I SAFEGUARD INFORMATION IN MY CUSTODY AND CONTROL, AND HOW YOU MAY ACCESS THIS INFORMATION. PLEASE REVIEW CAREFULLY AND NOTE ANY QUESTIONS SO THAT WE CAN DISCUSS THEM AT OUR FIRST MEETING.

COMMITMENT TO PRIVACY: I am committed to maintaining the privacy of my clients and the confidentiality of all personal health information that is in my custody and control. I strive to protect the privacy rights of my clients by meeting or exceeding the standards established by law, including the Personal Health Information Protection Act, 2004 (“PHIPA”).

“Personal health information” (also referred to as “PHI”) includes any information in oral or recorded form (including written, audio or video) about an individual’s physical, cognitive, and/or emotional health, health care history, or health care treatment that could identify an individual when used alone or with other information. Information related to payments and eligibility for health care is also considered PHI, as is any information that is stored with PHI. 

COLLECTION: As is required by law and the professional standards of the College of Registered Psychotherapists of Ontario (“CRPO”), I will create a record of the care and services you receive from me. I need this record to provide you with quality care. I will limit the PHI that I collect to that which is needed to provide you with the services. I will usually collect information from you directly, unless you wish me to collect information from other sources, such as other health care providers, in which case I will ask your permission to do so.

To provide you with the services, I may need to use your PHI for the following related purposes:

  • to obtain payment;

  • for quality assurance purposes;

  • to comply with legal and regulatory requirements;

  • to plan, administer and manage our internal operations; and

  • to fulfill other purposes permitted or required by law.

If I intend to use information for any other purposes, I will ask for your consent before doing so, unless otherwise permitted to do so by law without consent (as explained below).

CONSENT: I will not collect, use, or disclose your PHI without your consent, or if you are not capable of giving or refusing consent, with the consent of your substitute decision maker, unless otherwise required or permitted by law.

“Consent” means the informed voluntary agreement with the action being done or proposed. Consent can be either express or implied.

“Express Consent” means permission that I have specifically obtained from you. It is given explicitly, either orally or in writing.

“Implied Consent” means that I have concluded from surrounding circumstances that you would agree to the collection, use or disclosure of your information, and I need not ask for express consent. Implied consent arises where consent may reasonably be inferred from the circumstances.

Express consent will be required for the collection, use, or disclosure for purposes other than the provision of health care. You may withdraw or limit your consent at any time, unless doing so prevents me from recording the information required by law or under professional standards. If I am concerned that your choices will have a negative effect on your care, I will discuss this with you and explore a compromise. However, if I cannot collect the information that I am required to by law or professional standards, I may terminate services.

Transparent and confidential communication is an important part of therapy, and you are encouraged to ask me questions about your PHI at any time.

WHEN DISCLOSURE WITHOUT CONSENT IS OR MAY BE REQUIRED BY LAW:

In most cases, PHIPA requires that I have your consent to disclose your PHI. However, there are some exceptions to client confidentiality and there are situations where I may be permitted or required by law to disclose PHI. These exceptions include:

     1)    If I suspect that an identifiable child is currently at risk of abuse or neglect.

     2)    If I suspect that an identifiable individual who currently resides in a retirement/long-term care facility is at risk of abuse or neglect.

     3)    If I suspect that an identifiable individual has been sexually abused by a health care practitioner with whom there existed a health care relationship.

     4)    If I suspect that a client poses a significant danger to themselves or to another person.

     5)    When required by a court of law.

     6)    In the event of a practice review or investigation by the CRPO.

     7)    To defend myself in a legal proceeding related to my services.

     8)    In the event that my records are audited by the Canada Revenue Agency.

When appropriate, I will attempt to contact you to give you notice that your information is going to be disclosed. I will also minimize the PHI disclosed to that which is required to fulfill the legal requirements which apply to the disclosure.

SAFEGUARDS AND SECURITY: I recognize the importance of safeguarding PHI and take all steps that are reasonable in the circumstances to ensure that PHI in my custody is protected against theft, loss or unauthorized access, use, or disclosure. I also ensure that the records containing this information are protected against unauthorized copying, modification, or disposal. In order to protect my clients’ information, I have taken steps to meet the need for physical security, technological security, and administrative controls.

I maintain all client records in electronic form using a specialized electronic medical record software, Jane. The electronic PHI records of my clients are protected through technological security measures, including the use of:

  • restricting office and device access to authorized individuals;

  • password controls and search controls;

  • firewalls and anti-virus software;

  • logging, auditing, and monitoring of all access to electronic records of PHI; and

  • encryption of all mobile electronic devices that contain PHI.

I have also implemented administrative controls to safeguard the PHI records we maintain, including:

  • requiring all staff and contractors to agree to appropriate confidentiality terms;

  • prohibiting staff or agents from printing, copying or downloading electronic records except where necessary for the provision of care in circumstances where access to records is required, remote access to Jane’s server is not available, and the records cannot be viewed in electronic format from an encrypted device; and in these circumstances, requiring staff or agents to copy or download electronic PHI records only in encrypted format and to delete such records when no longer required for the provision of service; and

  • conducting regular audits of access to records and our practices to ensure compliance with our policies. 

RETENTION OF PHI: Our policy is to retain PHI records for at least ten (10) years from the date of the last entry in the client’s record, or ten (10) years following the eighteenth birthday of the client to whom the record relates; or in accordance with any minimum retention period that is established by law. 

DISPOSAL OF PHI: When PHI is disposed of, I will take reasonable steps to ensure secure and permanent destruction of these records, whether physical or electronic. Where a third party is retained to dispose of PHI, I will enter into a written agreement with the third party that sets out the requirements for secure disposal and require the third party to confirm in writing that secure disposal has occurred. I will also keep a record of all PHI that has been destroyed, including the date and manner in which the PHI was disposed of.

PRIVACY BREACHES: If I become aware that a client’s PHI has been stolen, lost, or subject to unauthorized use, access, disclosure, copying, or modification, I will immediately take steps to identify and contain the breach, and then to correct the breach and to minimize chance of similar breaches in the future.

I will notify any client whose PHI may have been stolen, lost, or accessed in an unauthorized manner, at the first reasonable opportunity. I will also advise clients of their right to contact the Information and Privacy Commissioner of Ontario. We will then investigate the breach and take any reasonable steps to remediate it. Finally, we will consider whether a report to the Information and Privacy Commissioner or any regulatory college is required.

YOUR RIGHTS:

You have the following rights with respect to your PHI:

  • The Right to Request Limits on Uses and Disclosures of Your PHI. You have the right to ask me not to use or disclose certain PHI for treatment, payment, or health care operations purposes. I am not required to agree to your request, and I may say “no” if I believe it would affect your health care.

  • The Right to Request Restrictions for Out-of-Pocket Expenses Paid for In Full. You have the right to request restrictions on disclosures of your PHI to health plans for payment or health care operations purposes if the PHI pertains solely to a health care item or a health care service that you have paid for out-of-pocket in full.

  • The Right to Choose How I Send PHI to You. You have the right to ask me to contact you in a specific way or to send mail to a different address, and I will agree to all reasonable requests.

  • The Right to See and Get Copies of Your Own PHI. Other than psychotherapy notes (which are not retained as part of your client record and which I will securely destroy periodically), you have the right to request an electronic or paper copy of your medical record and other information. I will provide you with a copy of your record, or a summary of it, if you agree to receive a summary, within 30 days of receiving your written request, and I may charge a reasonable fee for doing so. If I have concerns about how you may interpret or react to my clinical notes, I may recommend that we review the notes together so that I can offer support. A client’s right of access to their records is not absolute, and I may deny your request where: the information does not exist or cannot be found, denial of access is required or authorized by law; or the request is frivolous, vexatious, or made in bad faith. If a request is refused, I will provide written reasons explaining the refusal.

  • The Right to Receive a List of the Disclosures I Have Made. You have the right to request a list of instances in which I have disclosed your PHI for purposes other than treatment, payment, or health care operations, or for which you provided me with an Authorization. I will respond to your request for an accounting of disclosures within 30 days of receiving your request. This list will include disclosures made within the retention period unless you request a shorter time. I will provide the list to you at no charge, but if you make more than one request in the same year, I may charge you a reasonable fee for each additional request.

  • The Right to Correct or Update Your PHI. If you believe that there is a mistake in your PHI, or that a piece of important information is missing from your PHI, you have the right to request that I correct the existing information or add the missing information. Where a correction is made, the original information will still be maintained in the client’s record. I may request documentation that supports your request, or say “no” to your request. Reasons that I may refuse to correct PHI include:

  • we are not satisfied that the record is incomplete or inaccurate for the purposes for which we collected, use or have used the information;

  • the record containing the PHI was not originally created by us and we do not have sufficient knowledge, expertise and authority to correct the record;

  • the request consists of a professional opinion or observation that a health care provider has made in good faith; or

  • the request is frivolous, vexatious, or made in bad faith.

    All requests for correction of PHI will be responded to as soon as possible, but no later than 30 days after receiving the request. Where a correction request is denied, clients will be notified of the reasons for the refusal and will be informed that they are entitled to prepare a short statement of disagreement to have appended to their PHI record. In addition, clients are entitled to make a complaint about the refusal to the Information and Privacy Commissioner using the information provided at the end of this policy.

  • The Right to Get a Paper or Electronic Copy of this Notice. You have the right get a paper copy of this Notice and get a copy by e-mail. Even if you have agreed to receive this Notice via e-mail, you also have the right to request a paper copy of it.

  • The Right to Contact the Information and Privacy Commissioner of Ontario. You are encouraged to ask me questions about your PHI and my information practices at any time. You also have the right to contact the Information and Privacy Commissioner if you have concerns about my information practices:

Information and Privacy Commissioner of Ontario

2 Bloor Street East, Suite 1400

Toronto, ON, M4W 1A8

1-800-387-0073

info@ipc.on.ca


The above policies may be updated to reflect changes in my practice, best practices for my profession, and applicable laws. Clients will be notified of material changes to this policy.


Implemented: July 2024

Next date of review: July 2025