Records & Privacy

Originally published in Volume: 1 Issue: 3 of HeadLines

This scenario presents some potential challenges.

Consent may be more complicated than might initially meet the eye. The clients in such a situation could decide to enter the relationship because of a perceived expectation by the therapist that they will agree and not want to disappoint the therapist by declining the invitation. For this reason, if this were to occur, such an opportunity would have to be presented in an entirely neutral manner.

To be fully informed consent, each client would have to be made aware of all the potential benefits and risks. These benefits would obviously include mutual support. On the downside, entering a relationship in which the client could be taking on further emotional (and perhaps other) demands should be presented as a risk to their own therapeutic relationship with the therapist and consequently to their therapeutic progress.

Confidentiality could also become a challenge when clients are introduced and encouraged to communicate. While each client would know that the other was seeing the same therapist, the therapist would have to be vigilant not to share any information about the other client without authorization. This would become difficult if they wished to talk about the other client or about interventions being used with them and it could become difficult to avoid inadvertently providing information, even in refusing to actively answer certain questions that could be posed. Even if information about one client was never disclosed to the other, the therapist would have to be vigilant about avoiding the collection of information about one from the other without consent. Even with full consent, collection of such information could pose challenges to professional objectivity, if information arose about any conflict arising between these individuals or any adverse information about them. This would become a dual relationship in the same way as working with clients who are relatives or friends of one another would, and it’s best to avoid dual relationships.

There are no specific prohibitions against introducing clients, but these are some of the challenges in managing such an intervention, without the safeguards of therapist mediated interaction between clients, as might occur in a therapist mediated mutual support group.

Originally published in Volume 2 Issue 1 of HeadLines.

The answer to this question depends upon various decisions made by the organization, including who is the Health Information Custodian (HIC), a term which is used and defined in the Personal Health Information Protection Act, 2004 . For the purposes of answering this question, either a health care practitioner or a person who operates a group practice of health care practitioners may be a HIC. There may only be one HIC and it should be the person who will have ultimate responsibility for the collection, use, disclosure, security, and retention of the information. .

The HIC must ensure that their identity is made clear to all concerned, including the client.  A client must provide informed consent for a specified individual or organization to collect information about them.

A Health Information Custodian may have an “agent”. This is defined in PHIPA as a person that, with the authorization of the custodian, acts for or on behalf of the custodian. The HIC may, for example, appoint the service provider working in the HIC’s organization to be their agent.

Copies of information may be shared with those with a need to have the information in their possession but may only be provided to anyone other than the HIC or agent with client consent. The number of copies of the same information is directly correlated to the risk of loss or unauthorized access to the information. The fewer number of copies there are of a document, the lower the risk of loss or unauthorized disclosure.

There is no prohibition against storing information in more than one file/location. Standard 9.1 of the Standards of Professional Conduct, 2017 requires that a member must make best efforts to ensure that the member’s records are complete and accessible; this applies whether the record is kept in a single file or in several files and whether the record is housed in one location or at several locations. It is suggested that when records are not maintained in one file or location that a note is placed in each location indicating the location(s) of any other information.

Originally published in Volume 2 Issue 1 of HeadLines.

In the practices of most members, the answer to this question can be found in the Health Care Consent Act, 1996 (HCCA) and the Personal Health Information Privacy Act, 2004 (PHIPA).

One must first establish whether the child has the capacity to make their own independent decisions in these situations. The HCCA and the PHIPA do not specify chronological ages of consent but instead set out the test for determining whether any individual, including a child, is capable of making their own health care decisions. The determination of capacity must be made by the Health Care Provider or the Health Information Custodian, as the case may be. The analogous tests for capacity to be applied are set out in section 4 of the HCCA and section 21 of PHIPA, respectively.

If the child is not believed to be capable, a substitute decision-maker for the purpose of the HCCA is generally deemed to play the same role with respect to PHIPA.

Section 20 of the HCCA and Section 26 of PHIPA provide specific advice with respect to the hierarchy of potential decision-makers when a child is not believed to be capable of making their own decisions. It also sets out the mechanisms for deciding what must happen when a person with the right to make decisions is not available or willing to assume decision-making responsibility.  The legislation also addresses what to do if there is conflict between two individuals having equal ranking in the hierarchy.

Generally, a parent can give or refuse consent on behalf of an incapable child unless this authority has been lawfully granted to a children’s aid society or other person. If both parents do not have the same rights under an Agreement or Order, a parent with custodial rights prevails over a parent who has only a right of access. In situations where the statute does not spell out clearly which parent is entitled to make the decision, statutory interpretation is necessary. Given the high stakes for all individuals involved, the most prudent course of action is to obtain independent legal advice.

The College’s August 2005 Bulletin provides additional guidance with respect to this issue.

The answer to this question requires interpretation of legislation and College staff are not qualified or authorized to provide legal advice. Members who are considering refusal of a specific request for information may wish to obtain independent legal advice, given that release of confidential information, or the refusal to do so, can be a high-stakes decision for all concerned. The following information may be of assistance in obtaining legal consultation.

The Personal Health Information Protection Act, 2004 (PHIPA) sets out the applicable rules to be considered when addressing a request for personal health
information.

Personal Health Information is defined, in section 4.(1)(a) of the Act, as information that “relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family. . .”

Section 1 (b) of PHIPA states that one of the purposes of the Act is “to provide individuals with a right of access to personal health information about themselves, subject to limited and specific exceptions set out in this Act”. The Act also provides that information an individual is entitled to access can be provided to another party, with the consent of the individual or of the individual’s authorized substitute decision-maker.

Whenever faced with a decision about whether to provide access to information contained in a client record, it is a good idea to review the list of exceptions to the requirement to do so. These exceptions are set out in in Section 52(e) of the Act where one is not required to allow access to information if,

(e) granting the access could reasonably be expected to,

i. result in a risk of serious harm to the treatment or recovery of the individual or a risk of serious bodily harm to the individual or another person,
ii. lead to the identification of a person who was required by law to provide information in the record to the custodian, or
iii. lead to the identification of a person who provided information in the record to the custodian explicitly or implicitly in confidence if the custodian considers it
appropriate in the circumstances that the identity of the person be kept confidential;

The Act, section 52(2) goes on to say that a health information custodian may provide only parts of a person’s record “that can reasonably be severed from the part of
the record to which the individual does not have a right of access”. When a decision is made to sever part of a file before releasing the record, section 54 of the Act provides
specific guidance about how to do this.

The Information and Privacy Commissioner of Ontario recently considered a complaint about an agency’s refusal to grant one family member access to the entirety of a family’s therapy records. In PHIPA Decision 158, the Commissioner found that the Personal Health Information (PHI) of each family therapy participant is theirs alone and not PHI of the other therapy participants. They went on to say that family therapy records may contain “communal” or “shared” information that can form part of each participant’s PHI. Communal or shared information was described as information about family health history, overall family relationships or dynamics, as well as general themes that arose in the course of family therapy.

The Commissioner ultimately decided that the complainant’s right of access under PHIPA was limited to only to PHI that can reasonably be severed from the records. The Decision explains that the Act is intended to enable individuals to access information about their family health history allowing them to make informed decisions about their own health care but that anything beyond shared or communal information, may have been collected with an expectation that it would remain confidential.

The Decision further explained that this best respects the confidentiality of that information; fosters trust between family therapy participants and custodians; promotes participant autonomy over access to their own personal health information; and promotes candid discussion and unguarded participation in family therapy sessions.

The Decision indicated that the right of access to information is limited by section 52(3), of the Act, which provides that an individual will only have a right of access to an entire record if the record is “dedicated primarily” to their personal health information. The following examples of factors to consider in determining whether a record is “dedicated primarily” to the personal health information of a requester are provided:

• the quantity of personal health information of the requester in the record;
• whether there is personal health information of individuals other than the requester in the record;
• the purpose of the personal health information in the record;
• the reason for creation of the record;
• whether the personal health information of the requester is central to the purpose for which the record exists; and
• whether the record would exist “but for” the personal health information of the requester in it.

The following “best practices” are suggested within the Decision:

1. At the outset of therapy, establish ground rules for what can be discussed, what information will be recorded, and who will have access to the records;
2. Document this understanding in the health record;
3. Identify documents (including chart notes) that relate to one participant and those that relate to all participants; and
4. When considering requests to access family or group therapy records, refer to documented informed consent and other records to identify participants’
   expectations, and categorize records as communal or relating to one or more participants before granting access to any records.

The answer to this question depends upon who has been identified as the Health Information Custodian. Under the Personal Health Information Protection Act, 2004 (PHIPA), it is possible that either a health care practitioner or a person who operates a group practice of health care practitioners can act as the Health Information Custodian (HIC). While either is possible, only one must be established at the onset of services. Generally, this will be the particular individual or entity they authorize to collect their Personal Health Information.

If, in this scenario, the operator of a group practice is not the HIC, then, the following Standard is applicable:

4.1 Responsibility of Supervisors of Psychological Service Providers
If members are supervising psychological services provided by a member holding a certificate for supervised practice or any other unregulated or regulated service provider who is not an autonomous practice member of the College, the clients are considered to be clients of the supervisor…

It then follows that the records are considered to be the records of the supervising member. This is supported by the following additional Standard:

9.1.2 Members Responsible for Supervising Supervised Practice Members and Non- Members
Members supervising Supervised Practice members and non-members are responsible for the security, accessibility, maintenance, and retention of records. 

If the organization is not the HIC, at the end of the engagement, in most case it is the supervising member who is the HIC and the records must remain with them for the required retention period.

The question of the release of raw test data involves an understanding and interpretation of the Personal Health Information Protection Act (PHIPA) which speaks to responding to requests for personal health information.  It should be noted that the College does not provide legal advice or legal interpretations of legislation but recommends that members seek legal advice on such matters.  While not providing legal advice, the College does offer some comments which may be helpful in understanding this question and informing the discussions with legal counsel

The Personal Health Information Protection Act (PHIPA) gives a client, or legal guardian, the right of access to, or the right to consent to the disclosure of, his/her personal health information.  This would include much of the information in the psychology file.  There are some exceptions, however, to this right.  These include information that could pose a risk of harm and confidential third party information.  As well, “raw test data from standardized psychological tests” [PHIPA 51.(1)] is excluded from this right.   Therefore, the legislation does not appear to provide a right to access raw data.

In considering PHIPA 51.(1), it is important to recognize the distinction between a right and a permitted disclosure.  There does not appear to be any statements in PHIPA that prohibit the release of “raw test data from standardized psychological tests”.  The difference to be understood is between what the client may have a right to obtain, and what they may be permitted to receive.  In this regard, the legislation is permissive, rather than prescriptive.

Recognizing this permissive language in the legislation, the College position related to the release of raw test data may be found in Principle 10 – Assessment and Intervention of the Standards of Professional Conduct; specifically section 10.8.  This section notes that the College recommends that when the request is reasonable and appropriate, and with proper authorization, the raw data should be released to clients and others.

It is important to note that Principle 10.8 emphasizes the member’s responsibility to distinguish between raw test data from standardized psychological tests and test materials or forms.  This suggests that test protocols, test items, summary sheets, etc., most of which are materials copyrighted by the publisher, should not be reproduced based on voluntary consent.  Rather, one may have to recopy the information ensuring not to include any copyrighted materials.  Of course, should one receive a court order, summons to appear and bring materials to court, or some other legal vehicle compelling the release of the entire file, then this could also include the raw test data protocols.  In such cases, members are encouraged to consult with legal counsel and/or the test publisher.

Originally published in Volume: 1 Issue 4 of HeadLines

In determining the appropriate record keeping requirements it’s important to consider what is meant by “consultation”. Sometimes, those using the title “consultant” are actually providing direct services to individuals. For example, this would be the case if the service involved interviewing clients of an agency and providing an assessment of their treatment needs. The member would, in such a situation, be required to create a client record in accordance with section 9.2 of the Standards of Professional Conduct, 2017.  Even if, by virtue of the administrative arrangements, the client is also a client of the agency and agency is the Health Information Custodian, the definition of client in the Standards is applicable:

Client: an entity receiving psychological services, regardless of who has arranged or paid for those services. A client can be a person, couple, family or other group of individuals with respect to whom the services are provided. A person who is a “client” is synonymous with a “patient” with respect to the administration of the Regulated Health Professions Act (1991). 

If involvement in a case was limited only to discussing the client with the clinician providing the direct client care, it is more likely that the consultation met the definition provided in the Standards: Consultation: the provision of information, within a relationship of professionals of relatively equal status, generally based upon a limited amount of information that offers a point of view that is not binding with respect to the subsequent professional behaviour of the recipient of the information.

If acting as a consultant, as it is defined above, then the following requirements regarding contents of records apply:

9.3 Organizational Client Records

1. A member must keep a record related to the services provided to each organizational client.
2. The record must include the following:
   a) the name and contact information of the organizational client;
   b) the name(s) and title(s) of the person(s) who can release confidential information about the organizational client;
   c) the date and nature of each material service provided to the organizational client;
   d) a copy of all agreements and correspondence with the organizational client; and
   e) a copy of each report that is prepared for the organizational client.

Even though the phrase “nature of” each material service, is not defined above, most prudent members record enough information to indicate the nature of the problem discussed and the nature of advice given.

Standard 9.4 provides the record retention requirements with respect to organizational records:

2) The organizational client record must be retained for at least ten years following the organizational client’s last contact.  If the organizational client has been receiving service for more than ten years, information contained in the record that is more than ten years old may be destroyed if the information is not relevant to services currently being provided to the client.

We’ve heard about this incorrect position from enough people to assume that, at some time in the past, it must have been promulgated widely. While the legislation permits one to refuse access to personal health information in some limited circumstances, including raw data from psychological tests, it does not prohibit one from allowing access to it. In many cases, it is expected that raw data will be provided, even with non-members.

A list of exceptions to the right of access to personal health information can be found in section 52 of the Personal Health Information Protection Act (PHIPA), 2004. Most of the exceptions relate to the expectation of serious risk associated with the disclosure.

Members who have insufficient cause to withhold raw data may have concerns about the risk of releasing the information to those who are not sufficiently trained to interpret it. In such cases, members are advised to attach a statement to the raw data indicating that raw data from standardized tests can lead to incorrect conclusions, and that this information should only be interpreted by those who are regulated psychological service providers with adequate training and experience in the interpretation of test results.

Detailed further information about the release of raw data can be found on the College’s Professional Practice FAQ pages.

It is a client’s right to decide who their personal health information may be shared with, subject to some exceptions set out in the Personal Health Information Protection Act (PHIPA), 2004. The Office of the Information and Privacy Commissioner of Ontario has published some helpful information about the Circle of Care, a colloquial term describing how one may rely on implied consent and the Lock Box, the colloquial language used to describe how a client may  limit what can be shared where one could ordinarily have relied upon implied consent.  All members who have not yet reviewed these documents, should familiarize themselves with these concepts and rules.

While there may be an argument that a member is not technically violating PHIPA if they provide information based upon implied consent, it isn’t really in the spirit of the legislation to do so, particularly if one believes a client who understood their rights, might capably choose to limit disclosure of their personal health information.

If there is reason to believe that a client would not want their personal health information shared, even if they have not sought to have the information ‘placed in a lock box’, one should consider the impact of sharing the information on the therapeutic alliance or on the client’s trust of other health care professionals, if the client believes their privacy has not been respected.

This question has been answered by the Office of the Information and Privacy Commissioner of Ontario  and can be found in the Frequently Asked Questions; Personal Health Information Protection Act September 2015, on page 31 of the document.

The answer reads as follows:

Yes. PHIPA permits the disclosure of personal health information without consent, if permitted or required by another law. For example, this means that PHIPA does not interfere with the Workplace Safety and Insurance Act (Act), where that Act requires a hospital or health facility, which provides health careto a worker claiming benefits under the insurance plan, to give the WSIB such information relating to the worker as the WSIB may require. This requirement also applies to a health care practitioner who provides health care to a worker or is consulted with respect to a worker’s health care. When requested to do so by an injured worker or the employer, the Act requires a health care practitioner treating the worker to give the WSIB, the worker and the employer prescribed information concerning the worker’s functional abilities.