Your personal health information is important, and physiotherapists are expected to have policies in place to provide security and protection whether you are accessing services in a public institution or a private clinic. Imagine you have injured yourself and have decided that you need to see a physiotherapist to help treat your injuries. Let’s walk you through each step of your journey in a clinic and discuss what privacy measures physiotherapists are legally required to have in place in order to protect your personal health information.
The clinic you have chosen to attend has an online booking system in place. As you work your way through the booking system you get to the point where they ask you to fill out an intake form. The form looks long and you have some questions about filling it out.
What information can they ask me for?
Legislation requires physiotherapists to only collect the minimum amount of information needed to provide physiotherapy services. They would need to collect your contact information and your relevant health information and may wish to collect financial or insurance information for billing of services provided. Legislation also requires physiotherapists to have reasonable security measures against unauthorized access, collection, use, disclosure, copying, modification, disposal, or destruction of your personal information. You should be able to access the clinic’s privacy statement as well as obtain contact information for the privacy officer with whom you can speak to about any concerns you may have.
Do I have to give them my credit card number?
As discussed above, they can ask for financial information to complete financial transactions. If you wish the clinic to direct bill your extended health benefits or the Workers Compensation Board or your Motor Vehicle Insurance, it would be expected that you provide the necessary information to do so. The clinic can ask you for your credit card information, but you can refuse to provide it. The clinic must disclose why they are asking, how they are protecting the information and then provide you with other options if you still do not wish to share it. The clinic cannot deny you service because you did not agree to submit your credit card information via an online intake portal.
They are asking for consent to contact me about physiotherapy, do I have to agree?
I don’t want them contacting me for advertising and promotion, can I limit this?
Yes, you can opt to not receive certain types of communication from the clinic. This could be for advertising or something else outside of what you consented to in your initial intake form. You can also alter your consent at a later date if you decide you want to receive promotional content, but you shouldn’t be coerced at any time to do this.
The Initial Assessment
Your booking is complete and you show up to the clinic at the correct time. The front-end staff greet you and confirm who you are and that you filled in the intake form. The physiotherapist shows up shortly after and takes you into the curtained off treatment area.
The clinic has curtained treatment areas, but I have something sensitive to talk to the physiotherapist about. Is it ok to ask for somewhere more private?
Yes, you can ask the physiotherapist for a more private setting if they have one available and the physiotherapist should make a reasonable effort to find an appropriate space. Depending on the clinic’s available space they may offer you a private room or office to use but if there is nothing available you may have to reschedule your appointment. Some clinics may not have a private treatment space at all so you might have to look at going elsewhere for treatment if they are unable to accommodate your request.
I have had some diagnostic imaging done relating to my injury. They want to access my MRI results, is this common practice?
Yes, this is common practice as the physiotherapist needs information to make informed decisions regarding your assessment and treatment plan. They would need to get you to sign a consent form which would allow them to access your results from the location the MRI occurred or from the provider who ordered the MRI. As a patient you are able to limit what information the clinic is accessing. You can limit the dates and the specific diagnostic imaging results they can access. Again, the clinic needs to access or collect the minimum amount of medically necessary information in order to provide services.
How is my health information secure when they are sending my consent to release health information?
Physiotherapists are legislatively required to have technical, physical, and electronic safeguards in place for collecting, using, and storing patient information. When information is being sent to and from another health-care provider there should be specific policies in place that dictate how it is done safely and securely. As mentioned above, each clinic should have a privacy statement for you that provides information on what methods they have in place as well as a privacy officer that you can contact regarding any questions you have.
After treating me for several sessions the physiotherapist has decided that I should be referred on to another clinic that is able to provide more in-depth care for my injury.
Is this different than when they sent the request for my diagnostic imaging results?
Not really, policies, procedures, and measures to safeguard your information must be in place as they were when they asked to get your diagnostic imaging. You still need to consent to them sending your health information as they cannot do this without your permission. This time they are sending your physiotherapy record off to another provider rather than receiving your record. Providing information is important in the referral process so the next physiotherapist you see will have the necessary information in place to provide safe quality and effective care.
The Privacy Breach
The original clinic I attended called to notify me that the physiotherapist had someone break into their vehicle and there was some private information of mine that was taken.
I don’t understand why the physiotherapist had my information in their car?
Good question. The clinic needs to explain both why the information was in their car and how the information was supposed to be protected. As a rule, leaving patient records, or devices that contain patient records unattended in a vehicle is not an accepted practice.
I am worried about identity theft, who do I talk to about my concerns?
You should first talk to the clinic’s Privacy Officer to gather information on what occurred and the concerns you have. The Office of the Information and Privacy Commissioner of Alberta is set up to deal with these issues and you would reach out to discuss your situation with them as well as what you can proactively do to protect yourself from identity theft if you still have concerns after speaking with the Privacy Officer.
I am concerned about the clinic’s handling of this, is there someone I can talk to about this?
Each clinic should have a Privacy Officer named in their privacy statement. It is their role to create the privacy policies and to address any concerns a patient may have. If there is no Privacy Officer, the clinic owner would be the person that would be able to assist you. You can also contact the College of Physiotherapists of Alberta’s Conduct Coordinator (email@example.com) to further discuss your concerns.
I am moving due to a change in work and would like a copy of my physiotherapy record.
What are my patient rights to accessing my record?
All privacy legislation allows you, as a patient, to access your physiotherapy record. Patients in private clinics are most often under the Personal Information Protection Act (PIPA) unless you have been treated due to a Motor Vehicle Collision in which case your record would be subject to the Health Information Act (HIA). Although the legislation may have different details on timelines and costs to the patient, they both allow the patient to access their record. Depending on the legislation, the timeline to access your chart can be 30-45 days to provide it to you.
Can they charge me a fee to do this?
Yes, the clinic has the legislated right to charge a fee to create the copy of the record. PIPA allows a “reasonable fee” to produce the record, but the clinic should not be charging you a fee that is unreasonable. Under the HIA fees are specified by the legislation which you can find here.
The Clinic Closure
Copies of records and medical-legal reports can be required for various reasons. What do you do if the clinic you used to go to is no longer open?
How would I find the physiotherapist?
You can call the College to help you find your physiotherapist if you cannot find them through traditional methods such as an internet search or the College of Physiotherapists of Alberta’s Verify a Physiotherapist. Regardless of the situation the College will endeavor to help you in locating your physiotherapist.
How could I find where my physiotherapy record is stored?
Physiotherapists have a duty not to abandon their patient’s records. Physiotherapists have several options for when they have closed a clinic but records cannot be abandoned so they should exist somewhere. Your physiotherapy record could have been transferred to another clinic and you can search to see if there were any notifications online or in newsprint that identified the clinic closure and the location of the physiotherapy records. You may attempt using the contact information of the clinic to see if an automated reply helps you find your records. If you still can’t find your record, you can contact the College and we will do our best to help you find them.
Retention and Destruction of your Patient Record
Legislation and the Standards of Practice require physiotherapy records be retained for 10 years (or 10 years after you turn 18 if you attended the clinic while still a minor) past your last appointment. After that time period the clinic can destroy your record.
Why do they keep it for that long?
The College sets this requirement. The 10-year timeframe is in keeping with timelines for which a patient could bring a legal matter to the physiotherapist. If a client were to bring forth a legal matter it would be essential that the chart be available as evidence.
How do I know it will be secured and protected?
As previously stated, your personal health information and physiotherapy record are important and there are Standards of Practice that require your records are not abandoned and will continue to be housed safely and securely for the designated time period. When you initially provided your information on the intake form at the start of this process the legislated expectation is that the physiotherapist would collect, use and disclose your health information with reasonable security measures in place. They must have physical, technical, and electronic security mechanisms in place during the collection, over the period of time that they are retaining it and finally when they destroy it.
How do they destroy the patient record?
Physiotherapy records must be destroyed in a manner that no one can reconstitute it or any part of it. Usually, these tasks are done by the privacy officer that was appointed by the clinic or a third party that was appointed information manager of the record. Paper files should be shredded to a degree that they are no longer able to be re-arranged and readable. Hard drives should be physically destroyed by wiping, degaussing, erasing and/or physical destruction. Agreements should be in place with any clinic software companies that records will be appropriately removed from their servers at the appropriate time.
And so we have come to the end of your physiotherapy records journey from intake to destruction. Your physiotherapist has expectations in place that are dictated by the Standards of Practice for physiotherapists and Legislation, and it is important to know what you can expect as a patient. Physiotherapists must collect the least amount of information necessary to provide services and once that information is collected the contents of your physiotherapy record need to be housed in a secure manner with reasonable safeguards in place to prevent unauthorized access. These safeguards exist for the entirety of the life of your record including in its destruction and you are entitled to access this information at any point in its existence.