Physiotherapy can become a murky substance to swim through at times, especially when we get into privacy issues and the varied legislation that can apply to physiotherapists. The realization that physiotherapists in Alberta may have to comply with one or more pieces of legislation is one of the reasons why the Privacy Guide was developed. Sometimes we get questions that aren’t quite covered in the Privacy Guide, and I based this article off a question that was submitted by three different physiotherapists over the past couple weeks.
“A patient wants us to destroy all of their patient records at our clinic, as they are currently undergoing an issue with identity theft, what do we do?”
Patient X comes into your practice and tells you they have been involved in a situation involving identity theft or financial fraud. They are very worried about their personal and financial information being compromised further. Patient X may or may not blame you as the source of the privacy breach, but they are adamant they want all their information removed from your systems.
Before we go any further into this, we will pause and do a quick review of the Standards of Practice you should know regarding patient information.
Performance expectations come in each Standard of Practice. In this standard you are expected to:
- Be aware of and comply with the relevant legislation
- Protect the patient’s privacy at all times
- Maintain security of all records and documentation at all times
- Obtain and document consent prior to disclosing private information, when required by legislation
- Only access information that is relevant
The Privacy Guide developed by the College of Physiotherapists of Alberta breaks this down across all sectors and most situations, and talks about the similarities and differences between pieces of privacy legislation. The College of Physiotherapists of Alberta and the Practice Advisor can potentially help you navigate through it if you still have questions.
You should know these acronyms: PIPA, HIA, FOIP and PIPEDA. In my short version review of the Privacy Guide, you should know that the Health Information Act (HIA) covers hospital and health-care facilities like those run by Alberta Health Services (AHS) and Covenant Heath. The HIA also covers patients falling under the Diagnostic and Treatment Protocol Regulations (DTPR). HIA allows for sharing of information within the “circle of care” without direct patient consent. Anything outside of the “circle of care” like disclosure to a lawyer or insurer requires patient consent. Schools, governments, and those working in Workers' Compensation Board (WCB) (but not contracted by WCB) will adhere to the Freedom of Information and Protection of Privacy Act (FOIP).
Those in private practice will mainly apply Personal Information Protection Act (PIPA) to your daily privacy decision making. It is all about patient consent and governs the collection, use, disclosure, and retention of private patient information. As you can see, we have many different privacy acts to keep track of and you can read about all the similarities and differences in the Privacy Guide.
For those of you practicing within larger public institutions, either AHS or others, you will have someone designated as a privacy officer, and you can direct your patient requests to someone who is well-versed in privacy and happily continue with life. The College of Physiotherapists of Alberta recommends that all practices have a privacy officer in place.
Now would be an excellent time to review your privacy policies. A component that often flies under the radar are your contractors. Do you have staff or contractors that are not managing or respecting the policies in place? Did they sign a privacy agreement as part of their contract? Is there a possibility that you have people working with you who may not be following the guidelines and are a privacy risk? Do your staff chart at the neighborhood coffee shop? Is it worthwhile to reach out to your Electronic Medical Record (EMR) provider to discuss the steps they have in place to ensure your patient’s data is protected? It’s not just health information that can be at risk, but financial data as well.
So now that we have reviewed some privacy basics and posed some questions of our own, we will get back to answering the question posed at the top of this article. The first step would be to speak with your patient to get a better sense of what is driving their request.
Do they feel you are the source of the breach?
Someone within the practice, typically the privacy officer, needs to investigate their concern. If it becomes apparent that you are the cause of the breach, then you will need to take responsibility. Someone in the practice environment erred and you must contact your privacy officer and may need to contact the Office of the Information and Privacy Commissioner (OIPC). Details of when you need to report a privacy breach can be found in the Privacy Guide.
Do they feel you are not providing adequate stewardship over their information?
Maybe they don’t think you are the source of a breach but are concerned that you are not protecting their private information. Does your patient fully understand the steps you take to protect their personal information? If you don’t have this information readily available for the person asking you to destroy your records, then you should produce it for them, direct them to your privacy officer or sit with them and take them through the steps you have in place to protect their information. This would include:
- Physical controls that are currently in place such as lock and key type safeguards for paper charts, computers, and the office.
- Technical controls such as how your EMR functions, login and password use, protection of their data, encryption and data loss prevention.
If the patient is satisfied with the steps you have taken, they may still request you destroy their records to limit their perceived risk. Remember, identity theft and credit card fraud can be extremely stressful events and we should be empathetic to what they are going through.
If the patient is still requesting that you destroy their records, then we move onto the next phase of the discussion which hovers primarily around you as a regulated health professional and your duty to maintain health records.
You have the tricky job now of balancing what the patient wants and what you must do to fulfill your professional obligations regarding documentation and record keeping. Section 9 of PIPA indicates that the patient can “withdraw their consent for collection, use, or disclosure of their private information”, but the wording doesn’t include DESTRUCTION.
Section 35 of PIPA states that “an organization may retain personal information only for as long as the organization reasonably requires the personal information for legal or business purposes.” The Documentation and Recordkeeping Standard includes the requirement that physiotherapists retain patient records for 10 years. This retention period is established so that you can respond to information requests from patients and third parties and address any future malpractice or conduct concerns that may arise. The retention period is set at 10 years because that is the time limit for a person to bring forward a civil claim against another party. As a regulated health professional, you are required to adhere to the Standards of Practice, which means that between the Standards of Practice and the potential need to respond to a civil claim, you have a legal and business purpose to retain the patient’s record.
While a patient can withdraw their consent for further collection, use or disclosure of their information, the legislation does not permit them to withdraw consent for retention of their personal information when there is a business or legal purpose for an organization to do so.
If you can't delete the entire patient record, what can you do?
You most likely can expunge their credit card information if the patient has been discharged. If they are a current patient and continuing treatment at your clinic, you can discuss alternate forms of payment if needed. However, in both cases, you still need to retain the billing and invoice records as part of the patient record. This would be necessary for chart or insurance audits so you can match clinical records with billing records.
When it comes to other personal registry information (name, date of birth, phone number, email), there needs to be a balance between complying with the patient’s request and making sure that sufficient information is retained so that you can confidently identify the record and who it pertains to. Since you need to retain patient records for 10 years, you must think about what you would need to identify the patient and their record in the future. The typical standard used by accrediting bodies is to employ two unique identifiers to identify an individual and mitigate against errors when dealing with two people with similar names (e.g., full legal name and date of birth, or legal name and health-care number).
If the therapeutic relationship has come to an end, it is unlikely that you have a legitimate need to contact the patient via phone or email; therefore, it is not unreasonable to remove or redact that information from the record at their request.
Hopefully, after you have discussed your regulatory requirements and measures in place to protect private information with the patient. They will understand what you can and cannot do and you can mutually agree on a course of action. If there are still issues remaining, you may want to contact a lawyer, the PIPA help desk, or the Office of the Information and Privacy Commissioner (OPIC) for advice.
The College of Physiotherapists of Alberta’s Practice Advisor is also here to help you navigate challenging situations related to privacy, or the other Standards of Practice.