Good Practice: Protecting Client Records, Protecting You
By: Leanne Loranger, PT
Some of the most frequently encountered practice advice questions that come my way relate to records management and the legislation regarding keeping patient information confidential. Physiotherapy Alberta has several publications that discuss different aspects of records management. The Privacy Guide1 that addresses the various pieces of privacy legislation relevant to physiotherapy practice, and the Standards of Practice2 outline Physiotherapy Alberta’s requirements of members. Here is an overview of the questions I often encounter that are related to physiotherapy records.
1. How long do I need to retain clinical records?
The Standards of Practice require that you retain files for 10 years from the last date of service. In the case of a minor records must be kept 10 years from the date that the minor turns 18 years of age or 10 years from the last date of service (whichever is longer).2
2. Who should retain clinical records?
The Standards of Practice do not stipulate whether the treating therapist or the employer should retain the patient records. If you work for a large institution, the records are usually retained by the institution.
If you work for a small clinic or are an independent contractor, it is up to each employer and employee/contractor to come to an agreement regarding how records will be retained.3 Some things to keep in mind:
- Most patients will associate their physiotherapy service with the clinic or physical location where they received services and will typically return to the clinic if they want a copy of their record. For this reason, it is often optimal for the clinic to retain patient records.
- However, Physiotherapy Alberta strongly encourages members to ensure that a regulated health professional retains custody of client records. If your employer is not a regulated health professional they may not be bound by the same standards and expectations as a regulated health professional and you may lack the assurance that client records will be appropriately managed.
- Physiotherapy Alberta requires that members discuss their record retention plans with their employers at the start of their employment and have a written agreement that outlines who will be responsible for record retention, security, access and destruction. This agreement must address how access to records will be ensured for the treating therapist in the event that the therapist leaves the practice and later requires access to a former client’s record.3
3. Can I scan my clinical records and discard the paper files?
If you want to convert your paper files to electronic copies you can do so, but there are a few things to keep in mind:
- You need to keep a complete electronic copy of the record.
- Electronic copies should include a backup copy that is stored at a separate site.
- The backup should be tested to ensure that data can be recovered.
- Ensure that your records are complete as you prepare the file for scanning and that you have a robust, documented file conversion process to guarantee that all aspects of the chart are scanned and that the electronic record is complete and accurate.
- You must take steps to ensure the security of the confidential information that you are now storing electronically. These steps include physical safeguards such as ensuring that all copies are kept in locked and secure locations as well as technical safeguards including encrypting the data and password protecting the information.5
4. Who is responsible to ensure that clinical records meet the Standards of Practice?
You are! Physiotherapy Alberta regulates individual members. It is the individual member who is accountable to ensure that their records meet the Standards of Practice.2
5. What do I do if my employer’s charting standards do not allow me to meet Physiotherapy Alberta’s Standards of Practice?
Again, you are responsible to ensure that your practice meets Physiotherapy Alberta’s standards. Your employer can require that you meet a higher standard than what is set by the College. If, however, their expectations are less than what is set out in the Standards of Practice, you must still meet your professional obligations first and foremost. It is important that you inform your employer of Physiotherapy Alberta’s requirements and that you continue to meet the Standards of Practice.
6. What privacy legislation applies to my patient records?
That’s a tricky question. The privacy of physiotherapy records in Alberta is governed by several separate pieces of privacy legislation depending on your practice setting and patient population.1 For example, services provided in hospitals fall under the Health Information Act (HIA). Private practice services fall under the Personal Information Protection Act (PIPA), or the HIA in the case of Diagnostic Treatment and Protocols Regulation (DTPR) patients. Services provided in school settings fall under the Freedom of Information and Protection of Privacy Act (FOIP).
Regardless of the specific legislation that applies to your situation, some basic principles apply:
- Collect the minimum amount of data possible for you to do your work
- Secure files against unauthorized access
- Ensure patients and their designated representatives have access to their client records upon request
- Only disclose patient private information to those who are authorized to have access
- Ensure appropriate destruction of records1
Although the legislation differs only slightly in most cases, it is imperative that physiotherapists become aware of the specific privacy legislations that apply to their clinical practice and the stipulations of that legislation. You can read more about privacy legislation, including when each act applies, in the Privacy Guide.1
7. Can I send client information via email?
Yes, you can transmit patient private information via email. However, there are some things you should know:
- Email is not considered a secure form of information transmission, so if you are emailing patient information you are putting the security of that information at risk.
- Before sending private patient information via email, obtain the patient’s consent.1
- Reflect on the limits of that consent. Many people do not understand the security risks of sending private information via email. A basic principle of consent is that you can’t provide a valid consent for risks that you don’t understand therefore a patient consent to electronic communication may not be enough to protect you in the event of a security breech.
- The best practice is to transmit the minimum amount of data possible via email.4
- If you are transmitting private patient information, use encrypted email.4 Encrypted emails send data via one email and a decryption code in a separate email, so that if one message is intercepted or misdirected, the privacy of the information is maintained. Encryption is considered the industry standard for emailing private information.
8. How do I properly dispose of an old computer hard drive? (It’s so old I can’t turn it on, but there is private client information on the computer.)
Remove the hard drive from the computer and literally smash it to pieces with a hammer, or drill several holes through it (or both).5
Remember that when you remove files from a computer, it isn’t enough to simply hit delete as that data can still be reconstructed. Instead, you need to purge files from the computer. Barring that, drilling a hole through the hard drive (or several) will ensure that no one can turn on the computer and gain access to private information.
9. I am selling my clinic. What do I do with my client records to ensure they are appropriately managed?
You have two options.
- You can retain the records yourself, in accordance with the relevant privacy legislation, and have the new clinic owner provide former patients with your contact information if they approach the clinic seeking their charts.
- You can enter into a contract with the new owner in which you formally agree that they will accept accountability for the records and for their appropriate management including access, security, retention and destruction of the files in accordance with relevant legislation.
Regardless, physiotherapists are required to ensure that client records are not abandoned under any circumstances.
10. Why can’t I transmit private client information via social media (e.g., Facebook messenger or Twitter direct messaging)?
These formats are notoriously insecure. If you are sending patient information using Facebook Messenger you are putting the security of that information at risk. DO NOT use these formats for transmitting patient information.
- Physiotherapy Alberta – College + Association. Privacy Guide for Alberta Physiotherapists. 2013. Available at: http://www.physiotherapyalberta.ca/files/guide_privacy_for_ab_physiotherapists.pdf. Accessed on June 10, 2015.
- Physiotherapy Alberta – College + Association. Standards of Practice for Alberta Physiotherapists. 2012. Available at: http://www.physiotherapyalberta.ca/files/practice_standards_all_2012_revised.pdf. Accessed on June 10, 2015.
- Physiotherapy Alberta – College + Association. Practice Guideline: Leaving a practice/Re-locating to another practice. 2014. Available at: http://www.physiotherapyalberta.ca/files/practice_guideline_leaving_or_relocating.pdf. Accessed on June 10, 2015.
- Office of the Information and Privacy Commissioner of Alberta. HIA Practice Note #5: Communicating with patients via email: Know the risks. 2012. Available at: http://www.oipc.ab.ca/Content_Files/Files/Publications/HIA_Practice_Note_5.pdf. Accessed on June 10, 2015
- Office of the Information and Privacy Commissioner of Alberta. Personal Information Protection Act (PIPA): PIPA Advisory #8: Implementing reasonable safeguards. (n.d.). Available at: http://www.oipc.ab.ca/Content_Files/Files/Publications/PIPA_Advisory_8_Reasonable_Safeguards2007.pdf. Accessed on June 10, 2015.