Throughout the year Physiotherapy Alberta staff respond to members, lawyers, other third-party stakeholders and patients who have questions or concerns regarding access to and the release of confidential patient records. The questions are often related to whether records must be provided, what records must be provided, what processes must be followed, and what fees can be charged. Calls are also received from patients or third-parties who are frustrated when they face challenges accessing their documents from providers or clinic owners.
The purpose of this article is to assist all members to understand the legislation and Standards of Practice that govern the release of patient information. This information may also be used by physiotherapy businesses to guide the creation of policies and procedures related to the release of patient information.
Privacy legislation governs the collection, use, disclosure of and access to personal information. The two pieces of legislation that most commonly apply to Alberta physiotherapists are the Health Information Act (HIA) and the Personal Information Protection Act (PIPA). These Acts identify what information must or can be accessed, who may request access, when consent is or is not required, timelines for responding to requests and guidelines as to fees that may be charged. Physiotherapists are responsible for familiarising themselves with the Standards of Practice and all applicable legislation to ensure they understand and follow the rules.
Although the Acts do vary slightly, there are several basic principles that are common to all.
Access means the right to review any records that an organization may hold regarding an identifiable individual, or the right to receive a copy of such records.
The patient has the right to request access to or correction of their personal information. This is unchanged regardless of whether the request comes directly from the individual or from an agent who has been given the authority to act on their behalf (e.g., a lawyer).
The organization must respond to requests in a timely manner and the information requested must be provided (there are some exceptions specific to each Act).
Consent is required to collect, use, or disclose information to third-parties (each Act outlines when consent is required and when information may be released without consent).
A fee may be charged for the service.
The organization must have policies in place that guide how it collects, uses, discloses and retains patient health information.
The organization should appoint a Privacy Officer with the responsibility and authority to respond to requests, concerns or complaints related to personal information record management.
The Documentation and Record Keeping Standard of Practice1 reinforces the expectation that a physiotherapist must provide a copy of the complete clinical and financial record to the client or their authorized representative upon request and with appropriate consent. The process by which this is achieved will vary depending on the practice setting in which the physiotherapist works.
If the physiotherapist works in a hospital or other public health-care environment, the Health Records department may be responsible for the management of patient records, responding to requests and for ensuring compliance with the HIA. Staff working in these facilities must be aware of any site/organization policies related to health record management and work with the appropriate department to respond to any requests related to access or release of confidential health information.
If the physiotherapist works in a private practice environment, the job of responding to request or concerns related to patient records is the responsibility of the organization’s Privacy Officer. If the business owner has not assigned the role of Privacy Officer to another individual, the business owner is the Privacy Officer by default. In the private practice environment, PIPA applies to all patient records, except records for treatment provided under the Diagnostic and Treatment Protocols Regulation (DTPR).
What information must be released?
PIPA defines personal information as any identifiable information about an individual.2 Under PIPA a request for access to or copies of a patient record must be made in writing and accompanied by a signed consent if the request is not made by the patient.2 The individual must specify what documents are being requested.2 An individual may narrow a request to just a single episode of care, or may ask for all the records an organization holds regarding the individual, spanning several episodes of care. The treatment record includes everything related to the patient – all chart notes, emails, financial documents and letters.3
Once a written request has been received, an organization must provide the requested documents within a reasonable time to the individual, the individual’s agent, another health-care provider or a third party with signed consent. In rare circumstances, physiotherapists may redact portions of records if the information would reveal personal information about another individual or could reasonably be expected to threaten the life or security of another individual (including the patient).2
With a few exceptions, PIPA requires a response within 45 days of receiving the written request.2
Signed consent is not required if the request is submitted by Physiotherapy Alberta or the College of another health profession regulated under the Health Professions Act.3
The request and the release of information must be documented in the patient record.3 This documentation includes the date the records were released, the identity of who the documents were released to, reasons for not releasing requested document and any information that has been withheld.
The Release of Information Flow Chart found in the Privacy Guide gives members a quick overview of what processes must be followed when a request for access to information has been received.
What fees can be charged?
These requests require a physiotherapist and/or admin staff person’s time and expertise to respond to. If the applicant is a patient, an authorized agent or a third-party, PIPA allows for a reasonable fee to be charged for access to, or a copy of, the applicant’s personal information.2 If the request is to correct an error or omission within the record, no fee may be charged.2
PIPA does not provide a guideline of what is a reasonable fee, however; HIA legislation has prescribed fees. It is suggested that owners refer to the HIA fee guidelines as a starting point for setting clinic fees. It is not acceptable for the fees charged to create a barrier to the person’s access to their own health information, nor is it acceptable for the fees to serve as a source of revenue or profit for the clinic. Fees should represent the actual costs of preparing a copy or providing access.4 These costs could include:
The time and cost required to retrieve record
The cost of copying the record
The cost to deliver the record if applicable
If a fee will be charged, the organization must give the applicant a written estimate of the total fee before providing the service.2 The applicant should agree to the amount before the request is processed. The organization is permitted to require a deposit prior to processing the request.2 It is expected that these fees be clearly identified on the clinic’s fee schedule.
Patients or their authorized representatives have the right to request access to and/or copies of their complete patient record.
Physiotherapy service providers must respond to these requests and provide the requested access or copies of the records in a timely manner.
A reasonable fee may be charged that reflects the actual costs of retrieving, copying and delivering the record.
It is expected that all physiotherapists are knowledgeable of and comply with relevant legislative and regulatory requirements in Alberta.5 Physiotherapy Alberta has several resources available to assist members with understanding and complying with the applicable rules and regulations that govern their practice in Alberta. It is important that all members spend time and familiarize themselves with the Standards of Practice, resources and practice guidelines available to them.