Records & Privacy

Originally published in Volume: 1 Issue: 3 of HeadLines

This scenario presents some potential challenges.

Consent may be more complicated than might initially meet the eye. The clients in such a situation could decide to enter the relationship because of a perceived expectation by the therapist that they will agree and not want to disappoint the therapist by declining the invitation. For this reason, if this were to occur, such an opportunity would have to be presented in an entirely neutral manner.

To be fully informed consent, each client would have to be made aware of all the potential benefits and risks. These benefits would obviously include mutual support. On the downside, entering a relationship in which the client could be taking on further emotional (and perhaps other) demands should be presented as a risk to their own therapeutic relationship with the therapist and consequently to their therapeutic progress.

Confidentiality could also become a challenge when clients are introduced and encouraged to communicate. While each client would know that the other was seeing the same therapist, the therapist would have to be vigilant not to share any information about the other client without authorization. This would become difficult if they wished to talk about the other client or about interventions being used with them and it could become difficult to avoid inadvertently providing information, even in refusing to actively answer certain questions that could be posed. Even if information about one client was never disclosed to the other, the therapist would have to be vigilant about avoiding the collection of information about one from the other without consent. Even with full consent, collection of such information could pose challenges to professional objectivity, if information arose about any conflict arising between these individuals or any adverse information about them. This would become a dual relationship in the same way as working with clients who are relatives or friends of one another would, and it’s best to avoid dual relationships.

There are no specific prohibitions against introducing clients, but these are some of the challenges in managing such an intervention, without the safeguards of therapist mediated interaction between clients, as might occur in a therapist mediated mutual support group.

Originally published in Volume 2 Issue 1 of HeadLines.

The answer to this question depends upon various decisions made by the organization, including who is the Health Information Custodian (HIC), a term which is used and defined in the Personal Health Information Protection Act, 2004 . For the purposes of answering this question, either a health care practitioner or a person who operates a group practice of health care practitioners may be a HIC. There may only be one HIC and it should be the person who will have ultimate responsibility for the collection, use, disclosure, security, and retention of the information. .

The HIC must ensure that their identity is made clear to all concerned, including the client.  A client must provide informed consent for a specified individual or organization to collect information about them.

A Health Information Custodian may have an “agent”. This is defined in PHIPA as a person that, with the authorization of the custodian, acts for or on behalf of the custodian. The HIC may, for example, appoint the service provider working in the HIC’s organization to be their agent.

Copies of information may be shared with those with a need to have the information in their possession but may only be provided to anyone other than the HIC or agent with client consent. The number of copies of the same information is directly correlated to the risk of loss or unauthorized access to the information. The fewer number of copies there are of a document, the lower the risk of loss or unauthorized disclosure.

There is no prohibition against storing information in more than one file/location. Standard 9.1 of the Standards of Professional Conduct, 2017 requires that a member must make best efforts to ensure that the member’s records are complete and accessible; this applies whether the record is kept in a single file or in several files and whether the record is housed in one location or at several locations. It is suggested that when records are not maintained in one file or location that a note is placed in each location indicating the location(s) of any other information.

Originally published in Volume 2 Issue 1 of HeadLines.

In the practices of most members, the answer to this question can be found in the Health Care Consent Act, 1996 (HCCA) and the Personal Health Information Privacy Act, 2004 (PHIPA).

One must first establish whether the child has the capacity to make their own independent decisions in these situations. The HCCA and the PHIPA do not specify chronological ages of consent but instead set out the test for determining whether any individual, including a child, is capable of making their own health care decisions. The determination of capacity must be made by the Health Care Provider or the Health Information Custodian, as the case may be. The analogous tests for capacity to be applied are set out in section 4 of the HCCA and section 21 of PHIPA, respectively.

If the child is not believed to be capable, a substitute decision-maker for the purpose of the HCCA is generally deemed to play the same role with respect to PHIPA.

Section 20 of the HCCA and Section 26 of PHIPA provide specific advice with respect to the hierarchy of potential decision-makers when a child is not believed to be capable of making their own decisions. It also sets out the mechanisms for deciding what must happen when a person with the right to make decisions is not available or willing to assume decision-making responsibility.  The legislation also addresses what to do if there is conflict between two individuals having equal ranking in the hierarchy.

Generally, a parent can give or refuse consent on behalf of an incapable child unless this authority has been lawfully granted to a children’s aid society or other person. If both parents do not have the same rights under an Agreement or Order, a parent with custodial rights prevails over a parent who has only a right of access. In situations where the statute does not spell out clearly which parent is entitled to make the decision, statutory interpretation is necessary. Given the high stakes for all individuals involved, the most prudent course of action is to obtain independent legal advice.

The College’s August 2005 Bulletin provides additional guidance with respect to this issue.

The answer to this question requires interpretation of legislation and College staff are not qualified or authorized to provide legal advice. Members who are considering refusal of a specific request for information may wish to obtain independent legal advice, given that release of confidential information, or the refusal to do so, can be a high-stakes decision for all concerned. The following information may be of assistance in obtaining legal consultation.

The Personal Health Information Protection Act, 2004 (PHIPA) sets out the applicable rules to be considered when addressing a request for personal health
information.

Personal Health Information is defined, in section 4.(1)(a) of the Act, as information that “relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family. . .”

Section 1 (b) of PHIPA states that one of the purposes of the Act is “to provide individuals with a right of access to personal health information about themselves, subject to limited and specific exceptions set out in this Act”. The Act also provides that information an individual is entitled to access can be provided to another party, with the consent of the individual or of the individual’s authorized substitute decision-maker.

Whenever faced with a decision about whether to provide access to information contained in a client record, it is a good idea to review the list of exceptions to the requirement to do so. These exceptions are set out in in Section 52(e) of the Act where one is not required to allow access to information if,

(e) granting the access could reasonably be expected to,

i. result in a risk of serious harm to the treatment or recovery of the individual or a risk of serious bodily harm to the individual or another person,
ii. lead to the identification of a person who was required by law to provide information in the record to the custodian, or
iii. lead to the identification of a person who provided information in the record to the custodian explicitly or implicitly in confidence if the custodian considers it
appropriate in the circumstances that the identity of the person be kept confidential;

The Act, section 52(2) goes on to say that a health information custodian may provide only parts of a person’s record “that can reasonably be severed from the part of
the record to which the individual does not have a right of access”. When a decision is made to sever part of a file before releasing the record, section 54 of the Act provides
specific guidance about how to do this.

The Information and Privacy Commissioner of Ontario recently considered a complaint about an agency’s refusal to grant one family member access to the entirety of a family’s therapy records. In PHIPA Decision 158, the Commissioner found that the Personal Health Information (PHI) of each family therapy participant is theirs alone and not PHI of the other therapy participants. They went on to say that family therapy records may contain “communal” or “shared” information that can form part of each participant’s PHI. Communal or shared information was described as information about family health history, overall family relationships or dynamics, as well as general themes that arose in the course of family therapy.

The Commissioner ultimately decided that the complainant’s right of access under PHIPA was limited to only to PHI that can reasonably be severed from the records. The Decision explains that the Act is intended to enable individuals to access information about their family health history allowing them to make informed decisions about their own health care but that anything beyond shared or communal information, may have been collected with an expectation that it would remain confidential.

The Decision further explained that this best respects the confidentiality of that information; fosters trust between family therapy participants and custodians; promotes participant autonomy over access to their own personal health information; and promotes candid discussion and unguarded participation in family therapy sessions.

The Decision indicated that the right of access to information is limited by section 52(3), of the Act, which provides that an individual will only have a right of access to an entire record if the record is “dedicated primarily” to their personal health information. The following examples of factors to consider in determining whether a record is “dedicated primarily” to the personal health information of a requester are provided:

• the quantity of personal health information of the requester in the record;
• whether there is personal health information of individuals other than the requester in the record;
• the purpose of the personal health information in the record;
• the reason for creation of the record;
• whether the personal health information of the requester is central to the purpose for which the record exists; and
• whether the record would exist “but for” the personal health information of the requester in it.

The following “best practices” are suggested within the Decision:

1. At the outset of therapy, establish ground rules for what can be discussed, what information will be recorded, and who will have access to the records;
2. Document this understanding in the health record;
3. Identify documents (including chart notes) that relate to one participant and those that relate to all participants; and
4. When considering requests to access family or group therapy records, refer to documented informed consent and other records to identify participants’
   expectations, and categorize records as communal or relating to one or more participants before granting access to any records.

The answer to this question depends upon who has been identified as the Health Information Custodian. Under the Personal Health Information Protection Act, 2004 (PHIPA), it is possible that either a health care practitioner or a person who operates a group practice of health care practitioners can act as the Health Information Custodian (HIC). While either is possible, only one must be established at the onset of services. Generally, this will be the particular individual or entity they authorize to collect their Personal Health Information.

If, in this scenario, the operator of a group practice is not the HIC, then, the following Standard is applicable:

4.1 Responsibility of Supervisors of Psychological Service Providers
If members are supervising psychological services provided by a member holding a certificate for supervised practice or any other unregulated or regulated service provider who is not an autonomous practice member of the College, the clients are considered to be clients of the supervisor…

It then follows that the records are considered to be the records of the supervising member. This is supported by the following additional Standard:

9.1.2 Members Responsible for Supervising Supervised Practice Members and Non- Members
Members supervising Supervised Practice members and non-members are responsible for the security, accessibility, maintenance, and retention of records. 

If the organization is not the HIC, at the end of the engagement, in most case it is the supervising member who is the HIC and the records must remain with them for the required retention period.