Skip navigation

Good Practice: The Privacy Life Cycle of a Patient’s Physiotherapy Record

In order to understand the professional expectations and legislative requirements related to managing a patient’s record we are going to accompany a patient on their journey through a community physiotherapy clinic. We will start from the time they start filling out their intake form to the destruction of their record 10 years after their last appointment with you. The goal is to highlight performance expectations while providing situational examples of the most common issues seen from the College’s perspective. While we go through our patient’s privacy journey it would be helpful to review the College’s Privacy Guide to flush out some of the information included in this article.

The Intake

Joe recently had a bad fall and fractured his hip. He was in hospital for a few weeks after surgery and was finally discharged home and is now looking for a physiotherapist near where he lives. With the help of his daughter Clara, he has found your clinic that is just a couple blocks away from his house. You have an online booking process that requires an intake form to be completed prior to his appointment.

What information are you allowed to collect on the intake form?

Legislation requires you to only collect the minimum amount of information needed to provide physiotherapy services and complete necessary transactions. Therefore, you can collect their contact information, relevant health information, and potentially their financial information required for billing of services provided. If your patient wants to access their extended health benefits or it is a claim through the Workers Compensation Board or Motor Vehicle Insurance, it would be expected that they will provide the necessary information to do so. You can ask the patient for their credit card information, but they can refuse to provide it. A physiotherapist or clinic cannot deny service because they did not agree to provide you with their credit card information via an online booking portal.

Do I need to provide a privacy statement on the intake form?

Yes, each patient should be aware of the security measures in place to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction of their personal information. Every clinic should have a publicly posted privacy statement that is easily accessible by Joe or his daughter whether on the online intake form or available to the public at the clinic. Each clinic or organization should also have a privacy officer who is appointed by the clinic to develop and oversee privacy policies and procedures as well as ensuring that a privacy policy is in place and is available to both patients and employees. They would also be responsible for adequately training staff in the privacy policies and procedures, and they would be the main contact for anyone with questions regarding the protections of personal information. You can read more about role of the privacy officer in the College’s Privacy Guide.

The Initial Assessment

Joe and Clara arrive at the clinic and they are guided back into the curtained treatment area. A couple things occur that you need to manage.

  1. As you greet Joe and Clara, they let you know that Joe has had bouts of confusion since his injury and underwent a capacity assessment before his discharge from hospital. It was deemed due to his confusion post-surgery that his daughter will be acting as a co-decision maker. A co-decision maker assists with non-financial decision making such as health care or participation in social activities. Does this change anything for you moving forward from a privacy standpoint?

This may affect consent more than anything directly related to privacy. As a co-decision maker, Clara can attend medical appointments with her father to assist him in making informed choices on his care. If you wanted to release Joe’s information to another health-care provider or third party you would need Clara present to discuss this with Joe prior to Joe signing the consent forms. There is a distinction between Clara acting as co-decision maker and being a named guardian through Joe’s personal directive as THE decision maker. You can read more about capacity and decision making here.

In private practice settings the Personal Information Protection Act (PIPA) governs the management of a patient’s health information. PIPA is consent driven and any health information cannot be collected, used, or disclosed without a patient or guardian’s consent to release it.

It would also be wise to confirm that the information collected in the intake form is accurate since you don’t know if Joe filled it out or if Clara assisted him.

  1. Due to the nature of Joe’s confusion, they would rather a more private place to discuss his history as he gets a bit loud and agitated if he gets confused. What should you do?

The physiotherapist must protect the client’s privacy at all times. You should respect their wishes for privacy and if a private treatment room is available you should move to that area to continue your initial assessment. If one is not available, you need to offer options such as conducting the interview in an office, or rebooking their appointment to when a private treatment room may be available or when the clinic is less busy.

The Referral

Joe has developed urinary incontinence since his surgery and you would like to refer him to another clinic that is able to more effectively treat his condition.

  1. You will need to get consent to release his health information to the other clinic from Joe and Clara in this case as she is still his co-decision maker.
  2. The referral can be sent by paper, fax, or email. Each option should have their own security safeguards to reduce any risk of the information being compromised and it is up to you to decide which option you would choose.

PIPA requires that reasonable security measures be put in place to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or destruction of personal health information. You or your clinic must have policies in place to protect Joe’s information. These policies would outline the physical, technical, and electronic security mechanisms you have in place to protect information during collection, use, storage, and transmission. The clinic’s privacy policies should also be available in writing for you to provide Joe and Clara if they request it.

It is expected that when sharing Joe’s personal information that it would be done with the highest degree of anonymity possible. Your clinic may have a preferred method of transmitting private information, or your privacy officer could provide instructions as to which method you would utilize at your clinic.

Paper: You can hand deliver the referral or mail it. If you choose to hand deliver it, you should think about the risk of the information being stolen and what safeguards you must have in place. The information should be in an unmarked envelope and the person delivering it should keep the envelope safe and secure (i.e., not left on the seat of the car while they run errands) in transit. If you choose to mail it, the post office has several levels of security that you can use such as registered mail.

Fax: Yes, this is still utilized as a secure method of sending information. You would need to confirm that the fax number is correct prior to sending the information. You should try to mitigate the risk to patients by limiting the amount of health information contained to what is medically necessary.

Electronic Communication: Staff should be trained in the use of encryption methods for sending emails and confirm the email address of the intended recipient. You can access further information on electronic transmission of information from the Office of the Information and Privacy Commissioner (OIPC) here as well as this article by the College here.

The Privacy Breach

You do all your charting on a laptop which you left open after one of Joe’s treatments. The laptop was sitting in the treatment room that your next patient was guided to giving them access to Joe’s chart notes and medical history. What are your next steps and who can you contact for assistance?

In your practice, it would be the responsibility of the physiotherapist for reporting the breach to the clinic’s privacy officer.

PIPA has a mandatory reporting requirement for a privacy breach if it meets a certain threshold.

Section 34.1 of PIPA says mandatory reporting must occur if “a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.”

The clinic’s privacy officer would have to decide on whether or not this incident would meet the threshold to inform Joe and his daughter of the privacy breach. If in doubt they can contact The Office of the Information and Privacy Commissioner (OIPC) and work with them to decide on whether it meets the threshold and whether it is necessary to implement the next steps of informing the patient or guardian.

If Joe or his daughter had concerns with the safeguards that were in place or with any of the clinic’s handling of how the breach was reported, they should discuss these with the clinic’s privacy officer. The privacy statement would have the privacy officer’s contact information so they would know who to contact in order to report a complaint.

The Discharge

Joe’s confusion has resolved. He has been back to his normal activities and is ready for discharge. He no longer has his daughter as his co-decision maker, but he has decided that he would like to move closer to his grandkids. What are your responsibilities regarding his physiotherapy record?

Records should be retained in a manner that enables any component of the record to be retrieved and copied upon request, regardless of the media (paper or electronic) used to create the record.

Paper charts: You can place Joe’s file as inactive or discharged and you would ensure it is housed in a manner that is safe and secure. For paper files, reasonable security measures would be having the record locked in a filing cabinet or secured storage room or facility with security alarms in place and limited keys to access the files based on clinic roles. The downside of paper charts is that there is no back up in place so there is a risk of charts being lost completely due to fire/flood/etc.

Electronic charts: You have moved the electronic chart to inactive or discharged where it is placed on an encrypted hard drive stored in a safe and secure location. It is expected to have a back up to this stored at another safe and secure location in case the hard drive is lost or compromised. As technology advances over the time, you might want to change storage methods (CDs to USB to cloud based, etc.)

Cloud charts: Cloud based physiotherapy records have information stored on servers but you must check with your provider to ensure that in the event they go bankrupt or something else would occur that you would still have access to your patient’s information.

The Clinic Closure

Five years have passed since Joe left and the clinic owners are going to close the practice down. As this has the potential to compromise a patient’s physiotherapy record or access to it by either the patient or the physiotherapist there are several expectations that the physiotherapist must abide by.

First, the physiotherapist must ensure that action is taken to prevent abandonment of the physiotherapy records. There are several options that a physiotherapist could consider when evaluating how to ensure the records are taken care of according to legislation.

The clinic could still act as the custodian and continue to house the charts until the required period has passed. It may no longer be at the “clinic location” but could be in a secure storage facility, at the physiotherapist’s home in a locked filing cabinet or safe, or depending on the size of your hard drive, at a bank in a safety deposit box. The clinic could also pass that responsibility onto another clinic or a third party such as an information manager. If doing so there must be a contractual agreement which addresses ongoing access, security, use and destruction for the duration of the required period.

The clinic has now officially closed and the owners have decided to move the records to an information manager. If Joe comes looking for a copy of his physiotherapy record how is he going to find where it is stored?

There are several ways that the physiotherapist could make sure that past patients know where to find their physiotherapy record. The clinic can send out secure communications to patients individually notifying them of how they can access their information when needed. The clinic may wish to maintain an email that is monitored regularly or provides an automated response as to who to contact should patients be in need of accessing records. Or the clinic can also do a larger notification in local newspapers or on social media channels which patients may be able to find months or years later.

The Destruction of Patient Records

Another five years have passed so it has officially been 10 years since Joe was discharged. Now that the period of 10 years has passed what are the expectations for this record?

The physiotherapist must retain Joe’s clinical and financial records for ten (10) years after the last date of service. If Joe was a minor, then clinical and financial records must be retained for ten (10) years past the minor’s 18th birthday. The physiotherapist must also ensure that those records are disposed of in a manner that maintains privacy and confidentiality of personal information.

Physiotherapy records should be destroyed by the clinic privacy officer that was appointed, or the clinic or third party that was appointed custodian of the records. Paper files should be shredded to a degree that they are no longer able to be re-arranged and readable. Hard drives should be physically destroyed by using encryption software and then physically drilling holes through the drive. Agreements should be in place with any clinic EMR software companies that records will be appropriately removed from their servers. If you are the one destroying the physiotherapy records you should keep track of which files were destroyed and when.

With Joe’s physiotherapy record being successfully destroyed we have completed the life cycle of the patient record. From intake form to destruction, Joe’s record was intended to highlight the regulatory expectations in relation to the protection of Joe’s information and the day to day processes each physiotherapist undertakes in order to abide by these expectations.

Page updated: 06/04/2023