Introduction
Occupational therapists need to collect, use, and disclose sensitive information about their clients to carry out their own work. Respecting clients’ privacy is a fundamental aspect of trust. Privacy includes keeping client information confidential and secure as well as following certain rules about clients’ access to their own information.
The privacy practices of occupational therapists in Ontario are guided by privacy legislation, College Standards, organizational policies, decisions from the Information and Privacy Commissioner of Ontario, and case law from the courts.
The purpose of this practice guidance document is to assist occupational therapists in applying the applicable privacy rules to their practice. This information does not take the place of legal advice. Because privacy legislation can change, occupational therapists should remain informed of the current privacy rules that apply to their practice.
1. Privacy Legislation
Three main privacy laws may apply to occupational therapy practice:
- Personal Health Information Privacy Act (PHIPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Privacy Act
Services delivered in Indigenous communities or to Indigenous clients may be subject to additional laws, traditions, or rules of the applicable First Nation, Inuit, or Métis peoples.
The law that applies will depend on (1) whether the services provided (such as workplace evaluations or independent assessments) are considered healthcare or non-healthcare; and (2) the type of organization through which services are funded or delivered (municipal, provincial, or federal government or services to Indigenous communities). Each law is outlined in more detail below.
To find the appropriate contact for privacy issues, see https://www.priv.gc.ca/en/report-a-concern/leg_info_201405/.
a. Personal Health Information Protection Act
PHIPA is Ontario legislation that sets out the rules that health information custodians must follow when collecting, using, and disclosing personal health information for health-related activities. PHIPA applies to most, but not all, occupational therapists’ practices in Ontario.
PHIPA sets out the responsibilities of health information custodians to protect personal health information; obtain consent for the collection, use, and disclosure of such information; respond to requests for the release of the information to third parties; and facilitate the rights of clients to access their own health information and request for their health records to be corrected.
Personal Health Information
“Personal health information” is defined in PHIPA (s. 4 [1]). The definition includes any identifying information about an individual if the information:
- relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
- relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual, […]
- (c.1) is a plan that sets out the home and community care services for the individual to be provided by a health service provider or Ontario Health Team pursuant to funding under section 21 of the Connecting Care Act, 2019,
- relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual,
- relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,
- is the individual’s health number,
- identifies an individual’s substitute decision-maker.
Health Information Custodian
As defined in PHIPA (s. 3 [1]), a “health information custodian” is an individual or organization listed in PHIPA that has “custody or control of personal health information” by virtue of their professional role and/or responsibilities.
Occupational therapists are health information custodians for health records generated in their independent practices. However, when occupational therapists are employed or contracted by an organization (such as a hospital, long-term care home, or family health team), the organization is usually the custodian. If occupational therapists are working in a group practice, the group may be the custodian.
Occupational therapists must determine who the custodian is in the context of their work. A health information custodian remains accountable for the personal health information under its control and for the actions of its agents.
Health information custodians must:
- Take reasonable steps to ensure that personal health information is protected against theft; loss; and unauthorized use, disclosure, modification, or destruction, including having appropriate physical, technical, and administrative safeguards to protect health records.
- Ensure that Personal Health Information is securely retained, transferred, and destroyed.
- Make health records available to clients on request.
- Respond to correction requests.
- Develop and implement policies and procedures for responding to consent directives including the appropriate management of restricted information (paper or electronic)
- Respond to consent directives (lock box requests).
- Have policies to address privacy, and report breaches to the Information and Privacy Commissioner.
- Ensure that all staff, students, and contractors are trained in and comply with PHIPA.
- Ensure that contracts with agents, community partners and vendors include appropriate privacy expectations.
- Develop and implement policies and procedures for collecting, using and sharing health information without the client’s consent – when permitted under PHIPA.
Agent of a Health Information Custodian
Under PHIPA, “an agent” is a person who is authorized to perform services or activities on behalf of a health information custodian. An agent can be a person or organization that contracts with, is employed by, is a student of, or volunteers for a custodian.
An agent is required to follow the custodian’s policies for storing, safeguarding, retention, destruction and responding to access and correction requests regarding the health record.
For example, an agent could be an occupational therapist who is contracted by a long-term care home where the home is the health information custodian. The occupational therapist must comply with PHIPA and follow the information practices of the long-term care home.
An agent must notify the health information custodian if:
- The personal health information that the agent is handling is stolen, lost, or accessed by unauthorized persons.
- The agent receives a request for access to or disclosure of personal health information.
- The agent receives a request for correction of the health records held by the custodian.
- The agent receives a consent directive.
An agent must return all personal health information to the custodian upon discharge or closure of the agent’s services.
Consent Directives (Lock Boxes)
A “consent directive” (also known as a “lock box”) is a term used to describe the situation when clients expressly request that specific information not be disclosed to another healthcare provider who is giving them healthcare services.
When a client requests that clinical information not be shared with another healthcare provider within the same health information custodian, this situation is called a “restricted use.” When a client wishes to prevent the disclosure of health information to external healthcare providers (other health information custodians), this situation is called a “restricted disclosure.”
Guidelines for employing a consent directive include:
- Developing and implementing policies and procedures for the appropriate management of restricted information (paper or electronic)
- Explaining to clients the potential risks of using the consent directive restriction
- Preventing unauthorized access to all locked information.
- Ensuring that a record of the consent directive instructions is maintained in the client’s health record, retained for the required period, and accessible to clients or other individuals who are legally authorized to access the information.
In situations where locked information cannot be disclosed to another healthcare provider but the occupational therapist believes that disclosure of the information is reasonably necessary for the provision of client services, the occupational therapist must notify the other provider that information has been withheld. However, the content of the withheld information must not be disclosed.
Information that is subject to a consent directive may be disclosed if the occupational therapist believes, on reasonable grounds, that such disclosure is necessary for the purpose of reducing or eliminating significant risk of serious harm to an individual or a group of persons.
Occupational therapists working for health information custodians should confirm with the organization the process for implementing consent directives. Those working independently should set up policies and procedures in advance so they can accommodate these requests when they arise.
Circle of Care and Implied Consent
“Circle of care” is not defined in PHIPA; however, it is understood to include situations where health information custodians and their agents can assume that they have clients’ implied consent to collect, use, or disclose personal health information to another custodian or agent for the purpose of providing healthcare.
This is most common in settings where occupational therapists work with interprofessional teams such as in hospitals, long-term care, primary care, and home and community care. However, implied consent can also apply to the sharing of a client’s personal health information with external healthcare providers—for example, occupational therapists sharing client information with community providers who offer services to the same client (such as a family doctor).
Health information custodians are entitled to assume that they have a client’s implied consent to collect, use, or disclose personal health information with other direct health care providers, who are also custodians of the record, for a healthcare purpose unless the client has stated otherwise.
Sharing information within the circle of care does not apply if consent is withdrawn or withheld. In these cases, express consent would be required for all future collection, use, and disclosure of client information.
Prior to disclosing information collected from clients, occupational therapists should consider carefully whether another healthcare provider is in the circle of care. Employers, insurance companies, educational institutions, and banks are just some examples of third parties who are not in the circle of care and for whom disclosure requires express consent unless otherwise permitted or required by law.
Secondary Uses of Personal Health Information
When personal health information is collected, used, or disclosed for any reason other than providing healthcare to the client, this purpose is referred to as a secondary purpose. Some examples include program planning, risk management, quality improvement, research, staff training, and responding to legal proceedings. Occupational therapists should not collect, use, or disclose personal health information for anything other than the provision of care to clients without first obtaining client consent or confirming that the intended collection, use, or disclosure is permitted or required by law.
In certain circumstances, PHIPA permits health information custodians to carry out these secondary purposes without clients’ consent. However, which activities can be performed and who is permitted to perform them vary depending on the situation. For example: in the case of a report required by law. Occupational therapists who are agents and not custodians should not use personal health information for secondary purposes without the custodian’s authorization.
b. Personal Information Protection and Electronic Documents Act
PIPEDA is federal legislation that governs the collection, use, and disclosure of personal information collected during the course of commercial activities.
In occupational therapy practice, PIPEDA may apply to fee-for-service insurance or medical-legal assessments which are carried out to help an insurer, employer, or third party determine entitlement to benefits or coverage, rather than for therapeutic benefit or the purpose of providing clients with healthcare services. Generally, if occupational therapists will be providing services to clients following assessments requested or funded by a third party, PIPEDA may apply to the records created by the occupational therapists.
Personal Information
Under PIPEDA, “personal information” includes any identifying information about an individual that has been communicated or recorded. This includes information such as:
- “age, name, ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; and
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)” (Office of the Privacy Commissioner of Canada).
Applying PIPEDA
Many of the privacy requirements under PIPEDA are substantially similar to those in PHIPA. Some examples are the information custodian’s responsibility to safeguard personal information; seek consent for the collection, use, and disclosure of such information; give access to records of this information; and advise affected individuals of breaches. If occupational therapists have provided a service that is subject to PIPEDA and are not sure how to handle a privacy-related request or issue, they should seek legal advice.
c. Privacy Act
The Privacy Act is federal legislation that applies to how the Canadian government and other federal agencies collect, use, and disclose personal information.
The Privacy Act applies to occupational therapy practice when occupational therapists work for or contracts services to a federal agency, such as Veterans Affairs, Corrections Canada, or Canada Post. The Act may also apply to services funded through the federal government and to services provided to First Nations people who live on federal reserves. If providing services to First Nation, Inuit, or Métis peoples, occupational therapists should inquire as to any additional laws that apply.
Personal Information
The Privacy Act defines “personal information” as any recorded information about an identifiable individual including:
- Age, colour, marital status, origin, race, and religion
- Education, medical, employment, and criminal history
- Details of financial transactions
- Any assigned identifying number and symbol (such as a personal record identifier or social insurance number)
- Address, fingerprints, and blood type
- Confidential or private communication sent to a government institution
- Another individual’s perspectives about the identifiable individual
- Individual’s name when it occurs with other related personal information or when the disclosure of the name alone would expose details about the individual
- The fact of an individual’s being an employee of a federal agency
- Type of leave taken by an employee
Applying the Privacy Act
Occupational therapists should check agreements with government agencies (for example, the First Nations Principles of OCAP, that are a set of standards that establish how First Nations’ data and information should be collected, protected, used, or shared) to determine whether records of services provided are subject to the Privacy Act. If occupational therapists have provided services that are subject to the Privacy Act and are not sure how to handle a privacy-related request or issue, they should seek legal advice.
For a comparison of the three privacy laws, see the appendix.
2. General Guidelines
a. Consent
Consent is the legal act of giving permission for an activity. Sometimes, occupational therapists record consent using a form or by documenting the permission in the health record.
To be valid, consent must:
- Relate to the decision or activity
- Be informed
- Be given voluntarily
- Not be obtained through misrepresentation or fraud
Three types of consent apply to privacy decisions for records created by occupational therapists:
- Express Consent: when the client or their substitute decision-maker agrees to the collection, use, or disclosure of personal health information.
- Implied Consent: when PHIPA permits the occupational therapist to assume consent for certain collections, uses, and disclosures of information to other healthcare providers for healthcare purposes unless told otherwise by the client.
- No Consent: when PHIPA or another law says that personal health information may or must be collected, used, or disclosed without express or implied consent. No consent is required by the client when the activity is permitted or required by law.
An example of when an occupational therapist does not need a client’s consent is a mandatory report to the College when the client discloses sexual abuse by a regulated health professional. In that situation, the disclosure of client information is required by law; however, the occupational therapist must obtain consent from the client to share their name.
An example of disclosure permitted by law is the sections in PHIPA that allow a health information custodian to use personal health information for quality improvement or program planning; the custodian can but is not required to use the information for quality improvement, and they need not obtain client consent to do so.
Occupational therapists should assume that clients are capable of providing consent to make privacy decisions about the collection, use, or disclosure of personal health information unless there is reason to believe otherwise. Capacity is the ability to make decisions for oneself. If a client does not have capacity, a substitute decision-maker will make privacy decisions on their behalf. The hierarchy of substitute decision-makers (located in the Appendix of the Standard for Consent) will guide occupational therapists in the determination of who is the appropriate substitute decision-maker for the client.
b. Record Keeping
Access
Clients have a right to access the information that providers hold about them. This includes all personal health information (if the service is healthcare under PHIPA) or all personal information (if the service is provided under PIPEDA or the Privacy Act) regardless of where the information is stored.
Occupational therapists should make reasonable efforts to inform clients about how they can access their records including how to contact the information custodian. Access requests should be responded to by the information custodian. Occupational therapists who are agents of a custodian should ascertain who is in charge of responding to requests (if not the therapists) and take steps to facilitate the forwarding of the request to the appropriate person. Clients should be provided with copies of records and, where reasonable, assistance with understanding the information.
Generally, access requests should be responded to within 30 days. In practice, a response as soon as possible is advisable.
Access to records should be refused in only limited situations, including if:
- Releasing the records involves a risk of harm to the client or another individual.
- The information was provided by a third party in confidence, and the identity of the third party needs to be kept confidential.
- The information is subject to legal privilege.
- The records are from psychologists and include raw data from standardized psychological tests.
- The records include data from standardized tests that is not interpreted or summarized elsewhere in the record.
- The information was collected as part of an investigation, inspection, or similar procedure, and the resulting proceedings, appeals, or processes have not yet been concluded.
- PHIPA or another law prohibits the disclosure of the information.
Access Following Discontinuation of Practice
Occupational therapists are expected to develop and, when appropriate, implement a plan for how clients will access their records when the occupational therapist is absent or discontinuing practice. The plan may include secure retention and storage of the documents or transfer of the client records to another person who is legally authorized to hold the records or a successor health information custodian in keeping with the provisions defined in PHIPA.
Correction for Health Information Custodians
Clients have a right to request that corrections be made to the personal information that providers hold about them if that information is inaccurate or incomplete for the purpose for which it is held. “The purpose for which it is held” may be the provision of healthcare (PHIPA), commercial services (PIPEDA), or government services (Privacy Act).
Upon receipt of a correction request, the occupational therapist who recorded the information shall consider whether the client has demonstrated that the record is inaccurate or incomplete and whether the error or omission affects the purpose for which the information is held. If both conditions are met, the record must be corrected. Examples of situations in which a correction might be warranted are mistakes, misfiling, fraud, or incomplete information in accordance with College record keeping standards.
If the section of record requested to be corrected reflects a professional opinion or observation made in good faith and the author of the record disagrees with the rationale in the request for correction, the record need not be corrected. However, the client must be offered the opportunity to add a Notice of Disagreement to the record. The client may also appeal the decision to the Information and Privacy Commissioner.
Generally, correction requests should be responded to within 30 days. In practice, a response as soon as possible is advisable.
c. Privacy Breaches
A privacy breach happens whenever a person contravenes a rule under privacy legislation or the privacy policies of the organization where they work. The most obvious privacy breaches happen when client information is lost, stolen, or accessed by or sent to someone without authorization. Health information custodians should have a privacy breach protocol for themselves and their agents to follow in the event of a breach.
When a privacy breach occurs, steps should be taken to contain the breach—that is, to prevent further unauthorized use, disclosure, modification, or destruction of the information. The health information custodian should thereafter investigate to ascertain what led to the breach. Once the facts have been gathered, the custodian must notify affected individuals about the details of the breach, what steps are being taken to remedy it, and individuals’ right to complain to the Information and Privacy Commissioner. Steps should be taken to deal with individuals and processes that contributed to the breach, based on the information gathered during the investigation.
Occupational therapists who are health information custodians are required to follow legal standards for reporting privacy breaches to the College (in the case of taking disciplinary action against an occupational therapist) and the Information and Privacy Commissioner. In some cases, breaches should be reported to the Commissioner immediately. Breaches that require immediate reporting are those that involve snooping, stolen records, records that have been made public, a pattern of breaches, or that resulted in discipline and are significant. If an immediate report is not warranted, the breach should be reported as part of the custodian’s annual report to the Information and Privacy Commissioner.
d. Maintaining Current Contact Information
Occupational therapists must provide clients with valid contact information and update their own employment information on the public register within 30 days of any changes.
Occupational therapists can use business contact information of the referral source as their own contact information. However, they must have an agreement with the referral source that they will be notified of all communications concerning the occupational therapists or the occupational therapy services provided.
3. Summary
Occupational therapists must be able to understand and apply privacy legislation while providing occupational therapy services to clients. If occupational therapists are in doubt as to which privacy legislation applies to the services being provided, they are encouraged to seek independent legal advice from a lawyer who understands privacy laws and their application.
References
College of Occupational Therapists of Ontario. (2023). Standards of Practice.
Information and Privacy Commissioner of Ontario. (2015, September). Frequently asked questions Personal Health Information Protection Act. https://www.ipc.on.ca/wp-content/uploads/2015/11/phipa-faq.pdf
Office of the Privacy Commissioner of Canada. (2019, May). PIPEDA in brief. https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/. Retrieved January 25, 2023.
Personal Health Information Protection Act, 2004, Statutes of Ontario (2004, c. 3, Sched. A). Retrieved from the Government of Ontario website: https://www.ontario.ca/laws/statute/04p03
Privacy Act, Revised Statutes of Canada (1985, c. P-21). Retrieved from the Justice Laws website: https://laws-lois.justice.gc.ca/eng/ACTS/P-21/page-1.html#h-397172
Other Privacy and Security Resources
– COTO: Legislation and Bylaws
– Information and Privacy Commissioner of Ontario
– Office of the Privacy Commissioner of Canada: Summary of Privacy Laws in Canada
– The First Nations Principles of OCAP (Ownership, Control, Access, Possession)
Appendix: Comparison of Three Privacy Laws
| Type of Information | ||
|---|---|---|
| PHIPA | PIPEDA | Privacy Act |
| Personal Health Information | Personal Information | |
| Applicable Parties | ||
|---|---|---|
| PHIPA | PIPEDA | Privacy Act |
| Persons and organizations that provide healthcare and therapeutic services to individuals | Private sector organizations and individuals engaging in commercial activities | Federal government institutions and those persons or organizations providing federal services to First Nations People living on reserves |
| Practice Examples | ||
|---|---|---|
| PHIPA | PIPEDA | Privacy Act |
| Occupational therapy clinics, hospitals, long-term care homes, children’s treatment centres, and family health teams | Insurance, third party assessments, and medical-legal examinations | Veterans Affairs, Corrections Canada, Canada Post, and federally funded services provided to First Nations People living on reserves |
| Scope of Legislation | ||
|---|---|---|
| PHIPA | PIPEDA | Privacy Act |
| Collection, use, and disclosure Retention and disposal Right of access Right to correction or amendment Safekeeping of information | ||
| Information Custodian | ||
|---|---|---|
| PHIPA | PIPEDA | Privacy Act |
| Health information custodians | Commercial entities | Government institutions |
| Consent | ||
|---|---|---|
| PHIPA | PIPEDA | Privacy Act |
| Must obtain informed consent for all services as outlined in the Health Care Consent Act, even though PIPEDA is not governed by the Act | ||
| Depending on the activity, consent may be express, implied, or, if permitted or required by law, not required. | The occupational therapist must check with the client as to who will obtain knowledgeable consent for the collection, use, and disclosure of the client’s personal information. “Knowledgeable consent means that it is reasonable in the circumstances to believe that an individual knows why a custodian collects, uses and discloses their personal health information and that they may give or withhold this consent” (Information and Privacy Commissioner of Ontario, 2015, p. 16). | Knowledgeable consent must be obtained from the client if • A third party will collect information about an individual • The personal information is to be used or disclosed in a manner that is not consistent with the purposes for which it was collected The personal information will be disposed of before the two-year retention minimum. |
| Retention | ||
|---|---|---|
| PHIPA | PIPEDA | Privacy Act |
| No prescribed retention period. See Standard for Record Keeping for the College’s expectations. Follow College or organizational retention guidelines for health records. | No prescribed retention period. See Standard for Record Keeping for the College’s expectations. | Personal information must be retained for at least two years following the last time the information was used unless the individual consents to its disposal. See Standard for Record Keeping for the College’s expectations. |
| Destruction | ||
|---|---|---|
| PHIPA | PIPEDA | Privacy Act |
| Protect against theft, loss, and unauthorized use or disclosure of information. Ensure that information cannot be reconstructed or retrieved after disposal. | ||
| Consent Directive (Lock Box) | ||
|---|---|---|
| PHIPA | PIPEDA | Privacy Act |
| May be applied | Not applicable (if clients do not want information disclosed, they will refuse consent) | |
| Access and Correction | ||
|---|---|---|
| PHIPA | PIPEDA | Privacy Act |
| A health information custodian, organization, or government institution must respond to any written or oral request for access to or amendment of personal health information or personal information no later than 30 days after receiving the request. Extensions are allowed under certain circumstances, such as where meeting the earlier time frame would unreasonably interfere with operations (PHIPA), the need for additional time to conduct consultations (PIPEDA), and the need for additional time to convert personal information into an accessible format (Privacy Act). Under PHIPA and PIPEDA, extensions are limited to an additional 30 days. The Privacy Act has no limitations. The health information custodian (PHIPA) or information custodian (PIPEDA and Privacy Act) must inform the requestor, in writing, of the extension. Extensions must be communicated to the requestor within the initial 30-day period. PIPEDA also requires that the custodian advise the requestor of their right to complain to the Office of the Privacy Commissioner. | ||
| Maintaining Current Contact Information | ||
|---|---|---|
| PHIPA | PIPEDA | Privacy Act |
| If an occupational therapist is the health information custodian, they must provide valid contact information to the client and respond to any requests related to the client’s personal health information in the occupational therapist’s possession. If the occupational therapist is not the custodian, they must provide the client with the appropriate contact information. | The information custodian must provide valid contact information to the client and respond to any requests related to the client’s personal information in the occupational therapist’s possession. | |
| Reporting Privacy Breaches | ||
|---|---|---|
| PHIPA | PIPEDA | Privacy Act |
| Information and Privacy Commissioner of Ontario | Office of the Privacy Commissioner of Canada | |