Confidentiality is the obligation of a person/organization to keep the information private. Security refers to those mechanisms engaged to restrict access and preserve the integrity of the information. Regardless of the record keeping format, content should be protected by procedures, information technology systems and/or functions that ensure maintenance of data integrity, security, reliability, trustworthiness and interoperability.
The Personal Health Information Protection Act, 2004 (PHIPA) describes the requirements for confidentiality and security as follows:
A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal. PHIPA, 2004, c. 3, Sched. A, s. 12 (1).
A health information custodian shall ensure that the records of personal health information that it has in its custody or under its control are retained, transferred and disposed of in a secure manner and in accordance with the prescribed requirements, if any. PHIPA, 2004, c. 3, Sched. A, s. 13 (1).
OTs are expected to apply practices that ensure the confidentiality and security of personal health information is maintained in accordance with all applicable legislation.
Standard 6
The occupational therapist will ensure client confidentiality and security of client information to prevent unauthorized access and to maintain the integrity of the record.
Performance Indicators
An occupational therapist will:
6.1
Take reasonable measures to ensure client personal health information is secure from unauthorized access, loss or theft;
6.2
Limit travel with client personal health information and/or limit the amount of personal health information transported in paper or electronic format to that which is essential for service delivery. If using electronic devices, OTs must take reasonable measures to ensure that personal health information stored on these devices is protected from unauthorized access which may include use of security methods such as encryption and/or password protection. A back-up copy of files should exist in a secure location. Measures should be taken to limit visibility of paper files or records and electronic devices while being transported;
6.3
Ensure the physical security of on-site records by the use of controls such as locked filing cabinets, restricted office access, logging off computers when out of the office etc.;
6.4
Comply with organizational policies and procedures related to the security of records. If self-employed or the Health Information Custodian, the OT will establish appropriate policies and procedures, including making a statement available to the public, upon request, describing their information practices;
6.5
Make reasonable efforts to notify the individual(s) involved if their information has been lost or stolen, or accessed without their authorization;
6.6
Access only records that are applicable to one’s practice;
6.7
Ensure that client information to be delivered by mail, is sealed, addressed accurately and marked “confidential”;
6.8
Ensure there are appropriate administrative, technical, and physical safeguards to protect the privacy of health information that is disclosed. The OT should incorporate a confidentiality statement to affix to any outgoing communications including email, fax and paper;
Note: Safeguards may include confirming the email address, fax number or other contact information, periodic auditing of pre-programmed numbers, and transmission receipts.
6.9
Ensure that client information to be delivered by electronic communication is performed in a confidential and secure manner, for example, encrypted, password protected, secure network, and limit use of personal health information (data minimization principle, authenticated sources and destinations).