Privacy and Record Retention — College of Physiotherapists of Alberta

Privacy and Record Retention Standard of Practice PDF

Standard

The physiotherapist maintains client privacy and confidentiality in compliance with the requirements of the privacy legislation relevant to their practice.

Expected outcomes

Clients can expect that:

The physiotherapist will limit their collection of personal information to that which is needed to provide physiotherapy services.
Their physiotherapy records are confidential and their private information will be collected, used, and shared with the highest degree of anonymity possible.
They will know when their private information is collected, who will have access to it, how it is used, how it is protected, and conditions for disclosure.
Their consent for information collection, access, use, and disclosure will be sought when required by privacy legislation.

Performance expectations

The physiotherapist:

Confidentiality

Protects the privacy of client information in all environments, regardless of the format of information collection (written, verbal, photo, video).
Is attentive to the physical environment during client assessment, treatment, and education and proactively addresses privacy risks including the risk of being overheard when discussing private health information.

Collection

Collects only the relevant and necessary individually identifying health information required to provide physiotherapy services.

Consent

Obtains client consent for collection, access, use, and disclosure of health information unless authorized by relevant legislation to do so without consent.
Clearly discloses instances where audio or video recordings are generated in the practice setting (e.g., security cameras).

Access and amendment

Accesses only relevant individually identifying health information when providing physiotherapy services for the client.
Grants clients access to their own individually identifying health information within the time period specified by relevant legislation.
Has clear processes for making corrections to health information.
Provides a copy of the complete clinical and financial record to the client or authorized representative upon request.
Establishes fees for access to client health records that are consistent with the requirements of applicable legislation, reflect the costs of providing the record, and which are consistent regardless of the party requesting access.

Use and disclosure

Uses individually identifying health information only for the purposes for which the information was collected.
Makes a reasonable effort to confirm that all correspondence with or regarding clients is sent to the intended recipient.

Security, retention, and disposition

Prevents unauthorized access or use of client information while in use, storage, or during transfer, through the appropriate use of physical, technical, and electronic security mechanisms.
Reports privacy breaches (e.g., unauthorized access or use of private information) to the appropriate individual(s), and contributes to privacy breach investigation, mitigation, and remediation in accordance with organization policies, role-based responsibilities, and legislative requirements.
Retains client clinical and financial records for ten (10) years after the last date of service.
Clinical and financial records for minors are retained for ten (10) years past the minor’s 18th birthday.
Retains records in a manner that enables a complete copy or any component of the record to be retrieved and copied upon request, regardless of the media (paper or electronic) used to create the record.
Ensures contractual agreements are in place any time a third-party is engaged to process, store, retrieve, or dispose of health information or provide information technology services, and that the terms of the agreements address ongoing access, security, use, and destruction of client information for the duration of the required retention period.
Disposes of records (e.g., electronic, paper) in a manner that maintains privacy and confidentiality of personal information.
Takes action to prevent abandonment of client records.
Designates an identifiable individual or information manager to ensure the retention, accessibility, and security of client records in the event that the physiotherapist is unable to continue as custodian of client records (e.g., in the case of retirement, closing a practice).

If employed by someone who is not a regulated health professional in Alberta or designated custodian under the Health Information Act, the physiotherapist:

Informs the employer of the physiotherapist’s legislated and regulatory obligations regarding client records.
Reviews the employer’s policies and procedures relating to the collection, use, retention, disclosure, and secure disposal of health records.
Ensures that the physiotherapist’s legislated requirements and professional responsibilities related to client health records are reflected in the employer’s policies and procedures and enacted in daily practice.
Enters into contractual agreements with their employer that addresses their respective obligations regarding the collection, use, retention, disclosure, and secure destruction of health information, provided the employer is acting as custodian of client health records.