Access to Information and Safeguards Policy

Effective date: November, 2021  

Commitment

Everwell Integrated Health Professionals and C. Fleming Psychotherapy Professional Corporation are committed to ensuring that our clients’ Personal Health Information (PHI) and Electronic Records remain confidential to the best of our abilities. Each staff, sub-contracted clinician, student, and volunteer has a responsibility in ensuring they follow strict Personal Health Information Protection Act (PHIPA) guidelines for safeguarding and accessing the PHI of clients as laid out within this policy.

Everwell and C. Fleming will ensure that all staff, sub-contracted clinicians, students and volunteers are aware of their responsibilities in maintaining confidentiality, as well as the content and scope of this policy.

PHIPA vs. College Guidelines

The following reflect guidelines as laid out by PHIPA for health information custodians (HICs) and their agents. This policy does not outline any specific College guidelines from the CRPO or OCSWSSW and it is the practitioner’s responsibility to ensure that they comply with the rules and regulations of their own College.

Definitions as they relate to everwell

Personal Health Information (PHI): Oral or written information about an individual if it pertains to; their health card number (or other identifying information), an individual’s physical or mental health or family history

Electronic Records: Formerly paper files with clients PHI as well clinical notes now housed electronically on the Jane platform 

PHIPA - Personal Health Information Protection Act: Ontario legislation with rules for the collection, use or disclosure of personal health information 

Health Information Custodian (HIC) - “A health care practitioner or person who operates a group practice of health care practitioners and has custody or control of personal health information” - Carly Fleming  

Agent - “any person who is authorized by a custodian (HIC) to perform services or activities in respect to PHI on the custodian’s behalf or for the purposes of that custodian” - sub-contracted clinicians, students, volunteers and staff.

Access to Information by Agents

Sub-Contracted Clinicians/Students

Sub-contracted clinicians/Students will be granted practitioner-only access to client files, meaning that they can only view and modify client charts for their own clients.
In the event that another client’s clinical notes/chart is opened accidentally, Schedule 6 of Bill 188 amendments to PHIPA require an entry into an ongoing activity log. This log must contain a short note in the client’s chart which states: your name, the date/time the file was accessed and what was viewed, handled, modified or otherwise dealt with on the file. Even if the chart was simply opened and then closed, a log of that needs to exist in the client’s chart as per Bill 188 pertaining to Electronic Audit Logs.

These logs will be periodically audited by Carly Fleming, and can be requested by the Information and Privacy Commissioner of Ontario.


Staff/Non-clinical employees/contractors

Administrative staff will have administrative-level access to the entire Jane platform but are prohibited from accessing client clinical notes/charts for any reason unless directed by the HIC, Carly Fleming, to do so. Accessing client profiles, their billing or appointment tabs should be kept to a minimum and only done so when it is relevant to complete the duties of the job. 

All other staff, non-clinical employees or contractors will be given minimal access to the Jane platform and are prohibited from opening client clinical notes/charts unless directed by the HIC, Carly Fleming. 

In the event that a client’s clinical notes/chart is opened accidentally, Schedule 6 of Bill 188 amendments to PHIPA require an entry into an ongoing activity log. This log must contain a short note in the client’s chart which states: your name, the date/time the file was accessed and what was viewed, handled, modified or otherwise dealt with on the file. Even if the chart was simply opened and then closed, a log of that needs to exist in the client’s chart as per Bill 188 pertaining to Electronic Audit Logs.

These logs will be periodically audited by Carly Fleming, and can be requested by the Information and Privacy Commissioner of Ontario.

Access to Information by Health Information Custodians

Carly Fleming (RP # 4123) is the owner of everwell Integrated Health Professionals and as such is the Health Information Custodian (HIC) as per the Personal Health Information and Protection Act (PHIPA). Within this role, Carly Fleming has the ability to access client identifying information as well as clinical notes within client charts but abides by strict confidentiality guidelines in accordance with the Personal Health Information Protection Act. 

Carly Fleming will not access clinical notes within a client chart unless she is required to do so to complete her duties as the Health Information Custodian. In the event that a client chart is opened by Carly Fleming, she will add a log of that instance containing a short note which states: her name, the date/time the file was accessed and what was viewed, handled, modified or otherwise dealt with on the file.

Safeguards

Administrative

Access to information policy above addresses some of the administrative controls for safeguarding personal health information at everwell.

Email communication with clients should be done through @everwellcounselling.ca / @everwellhamilton.ca professional email addresses and must include a confidentiality statement footer that states; 1) this is privileged information intended for the recipient only, 2) the process for how an incorrect recipient should go about informing the sender and destroying the original, and 3) that sensitive information should not be disclosed/discussed over email.

Data minimization - any written communication should minimize the use of a client’s PHI, including any identifying information (names, phone numbers etc) whenever possible, opting to use client initials and client I.D. from their Jane profiles instead.   


Technical

Personal health information that exists electronically needs to be password protected. As an example, this can mean a private login username and password for the computer and/or a password protected profile for accessing the Jane platform. 

It is recommended that all staff, sub-contracted clinicians, students and volunteers stock their computers and devices with anti-malware scanners to minimize the risk of computer viruses that might pose a threat to client confidentiality.  


Physical 

In the event that there exists a physical copy of a client’s chart or identifying information, this information needs to be physically locked away when not in use. As an example, in a locked cabinet or in a locked room for which only authorized persons hold a key.  

In the event that you are using a personal computer, phone, tablet, or any device for your everwell duties, it is your responsibility to ensure you continue to meet the Administrative, Technical and Physical guidelines outlined above.

Contact Us

If you have any questions about this Privacy Policy, please contact us: