Lockbox Policy

Ontario’s health privacy law, the Personal Health Information Protection Act (PHIPA), provides individuals[1] with the right to make choices about, and control how, their personal health information (PHI) [2] is collected, used, and disclosed.

PHIPA gives clients the opportunity to restrict access to any or their entire PHI by one or more Rebound Total Health team members [3] or by external health care providers. Although the term “lockbox” is not found in PHIPA, lockbox is commonly used to refer to a client’s ability to withdraw or withhold their consent for the use or disclosure of their PHI for health care purposes. The lockbox provisions of PHIPA are found in sections 37(1)(a), 38(1)(a), and 50(1)(e). The lockbox does not extend to other uses or disclosures that are permitted or required under PHIPA or other legislation.

This policy will help our Rebound Total Health Team understand and fulfill their role when addressing lockbox requests and providing care to clients who have implemented a lockbox. Lockboxes may affect clinical practice for the professionals providing health care at the Agency because access to information about clients may be restricted, and such professionals may be asked not to share PHI with other health professionals inside or outside of the Organization.

Requests for a Lockbox

Any current or former client of the Agency [4] may request a lockbox to restrict sharing of all or some of their PHI by one or more Rebound Total Health Team members or by external health care providers.

When clients ask about lockboxes, it is important for Rebound Total Health Team members to address their concerns about the confidentiality of their PHI. Note that some clients may want to control who can access their PHI, but may not know to use the term “lockbox.” Clients may want a lockbox when they use words such as “restrict,” “limit,” “don’t tell,” “exclude,” “shield,” or “block” when talking about their PHI. For example, clients may want a lockbox if they ask their health professional or other Team Member:

Not to tell their specialist that they are being treated at the Agency
To exclude certain of the Agency’s clinical staff from seeing their information
To “shield” their information
To “restrict” their health record
Not to let their family members or neighbours who work with the Agency look at their health record

Clients may initiate the process for a lockbox by contacting a Privacy Officer [or by speaking to their therapist]. Clients must submit their request for a lockbox in writing.

The Agency’s “Lockbox Policy should be given to clients who want more information. This policy discusses the purpose, implications, and limitations of implementing a lockbox.

Lockbox requests can vary considerably. A client may request that:

Only some of the documents in their health record be locked
All of their health record be locked
All documentation created in the future be locked
Only one Team Member be restricted from accessing PHI
Several Team Members be restricted from accessing PHI
All Team Members be restricted from accessing PHI
One or more external health care providers not be given their PHI

Although PHIPA does not require that the Agency lock documentation that does not yet exist, in practice, refusing to lock future documents may result in frequent lockbox requests to the Agency from a client if a lockbox will be requested every time a new document is created. For this reason, the Agency will, where appropriate and if requested, lock documents as they are created. An example might be where a client requests a future lockbox because one of their family members (or former spouse or partner) is a Rebound Total Health Team member.

When clients request a lockbox, it often means they have concerns about their PHI and how it is being used and/or disclosed. Clients should be reminded that:

The Agency takes privacy seriously and keeps all PHI confidential and secure
PHI is only accessed by Team Members on a need-to-know basis
The Agency conducts privacy audits regularly to ensure compliance with the policy
Where PHI is accessed without authorization, appropriate steps will be taken to prevent a reoccurrence and there would be disciplinary consequences
PHI is disclosed only to external health care providers with whom the client wants their PHI shared (unless the disclosure is otherwise permitted or required under PHIPA without consent or by another law)
Sometimes a client requests a lockbox when a lockbox is not necessary to resolve the client’s concern. For example, a lockbox is not necessary to restrict the sharing of PHI with non-health care providers (e.g., family, employers, insurers) because the Agency needs the client’s express consent (in writing, as documented by the Agency) to share information with such recipients (unless, for example, a family member acts as the client’s substitute decision-maker). If a client does not want the Agency to share information with non-health care providers – we will not do so unless there is legal authority to do so.

As another example, if clients disagree with the information in their health records they can ask for a correction and/or append a statement of disagreement to the record. For that reason, they may not need a lockbox to solve their concerns about the accuracy of the information in their health record.

Implications of Implementing a Lockbox

If a client chooses to move forward with a lockbox request, it is important that they understand the possible implications of the lockbox. There may be implications and risks to the client and to their care. The Privacy Officer or agent should discuss implications and risks with the client. Examples may include:

The client not receiving the best possible service because health care providers may not have access to PHI that they need in order to provide the best possible care in a timely manner.
The client may have to undergo duplicate tests, procedures and/or health history questions, as applicable, if existing information is unavailable.
There may be circumstances where clinicians providing health care at the Agency cannot provide care in a manner that meets professional standards of practice if they do not have sufficient information. Such Clinicians may have to assess whether they can continue to provide care to a client if there is insufficient information. However, the decision to discontinue care to a client is a significant one and would only be made after thorough consideration of all the relevant information. Clinicians will try to maximize client choice about how their PHI is used and disclosed while at the same time allowing all of the Clinicians to uphold their commitments to deliver a high quality client care and to meet their obligations to their regulatory colleges.
· There may be other risks specific to particular clients, which should be explored and discussed with clients directly.

Decisions to Implement a Lockbox

The Agency’s Privacy Officer or designate will review, respond to, implement, and administer lockbox requests (including on behalf of a Rebound Total Health Team member, where applicable). Because the choice to implement a lockbox may have implications for the client’s care, if applicable, the client’s primary Rebound Total Health Team member (e.g. counsellor) must be involved in processing the request as appropriate.

The practical methods of implementing lockboxes are varied; therefore, lockbox requests are considered on a case-by-case basis. A decision to implement a lockbox will be based on the practicality of the solution, technological feasibility, and the specific circumstances.

The Organization’s Privacy Officer or designate will notify in a timely manner any client who made a lockbox request of the decision made in respect of the lockbox. If a decision has been to deny a lockbox request, the client will be informed of the right to make a complaint to the Information and Privacy Commissioner of Ontario.

Lockbox Exclusions

A lockbox is limited under PHIPA to those providing care to the client. It does not operate to prevent administrative functions from being carried out or the use or disclosure of PHI for other authorized purposes. For example, even where a lockbox is in place, it will not prevent the Agency from:

Obtaining or processing payments
Planning services,
Quality improvement,
Disposing of information,
Complying with a court order,
Litigation,
Research (with research ethics board approval),

The above actions are permitted under sections 37-50 of PHIPA.

A lockbox does not prevent Rebound Total Health team or the Agency from using or disclosing PHI where there is a legal obligation to do so (for example, to fulfill mandatory reports to the Children’s Aid Society or to the Ontario Ministry of Transportation). The Agency [and the Rebound Total Health team] may also use or disclose PHI if there are reasonable grounds to believe that using or disclosing the information is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons. Lock boxing does not prevent the Agency from retaining records in adherence to the CRPO and/or OCSWSSW Guidelines, for the minimum retention period required. There may be other circumstances where the use or disclosure of PHI is required or permitted by law. The Rebound Total Health team will consult with a Privacy Officer when in doubt.

Identifying a Lockbox

Before reviewing a client’s PHI, Rebound Total Health Team must always check to see if a lockbox has been applied.

Rebound Total Health team should be aware of how records are made subject to a lockbox and what a lockbox looks like.

Electronic Records:

If a client has implemented a lockbox:

A note will be added to the client’s chart, indicating the clients’ request for lockbox

The HIC will confirm that only the HIC and the therapist (agent) have access to the clients chart file in the agency’s EMR system, Jane. Other than the HIC and the therapist, the clients chart file will not be viewable to any other team members.

If the lockbox applies to Rebound Total Health Team members then the electronic system will restrict their access to that client’s PHI.

When the HIC or therapist (agent) attempts to view the clients chart file, each entry in the chart file would have an additional titled labelled “LOCK BOX” to make it apparent to all viewer that the information contained therein is lock boxed.

Paper Records:

At this time of policy creation, it is not Rebound Total Health’s practice to retain paper records. In the event that Rebound Total Health begins implementing paper records, the following steps will be taken in this case.

If the entire health record is subject to a lockbox, it will be in a sealed envelope (signed across the seal by a Privacy Officer or designate) with a label affixed to it that reads “Lockbox” and a “Lockbox Notification Alert” form will be apparent and will include a list of unauthorized or “locked” persons.

If a portion of the health record is subject to a lockbox, the relevant portion will be in a sealed envelope (signed across the seal by the Privacy Officer or designate) with a label affixed to it that reads “Lockbox” and a “Lockbox Notification Alert” form will be apparent and will include a list of unauthorized or “locked” persons.

“Breaking” the Lockbox

If a Rebound Total Health team member is authorized to access information that is otherwise “locked”, the following instructions explain how to access the PHI.

Electronic Record:

Only the HIC and the agent (therapist) would have access to the file. To “break” a lockbox, a Rebound Total Health Team member that does not currently have access would need to request that the HIC to have permissions changed to enable access the clients chart file. The HIC would only adjust the permissions if it was required to do so by PHIPA, to execute their duties of the HIC or only if this was otherwise permitted or required by law to use or disclose the information (such as in an urgent situation in order to prevent a significant risk of serious bodily harm). Only then would permissions be changed and access to the health record be made available to the team member.

Each entry in the chart file would have an additional titled labelled “LOCK BOX” to make it apparent to the viewer that the information contained therein is lock boxed.

Paper Record:

To “break” a lockbox, a Rebound Total Health Team member would open the sealed envelope and remove the paper records. Access to the health record is then available.

Any Rebound Total Health Team member who accesses PHI that is protected by a lockbox must document on the client’s health record the reason and authorization for “breaking” the lock. All information subject to a lockbox will be monitored and there will be random audits of such files. If a Rebound Total Health Team member is in doubt about whether they are legally permitted to break a lockbox, they should contact a Privacy Officer.

For paper health records, if the lockbox restrictions continue after the lock has been broken for a specific purpose, the PHI should be “locked” again in another sealed and signed envelope by the Privacy Officer or designate. The electronic record will continue with the assigned lockbox restrictions until they are removed.

Of course, a client may choose to withdraw a lockbox request or unlock PHI in a lockbox. That decision must be in writing and must be documented on the health record.

Notice to External Health Care Providers

If a client’s lockbox instructions state that the client does not want all or some PHI shared with an external health care provider, the Agency will not disclose PHI to the restricted external health care provider unless:

We are permitted or required by law to do so (for example, we need to disclose the PHI to the external health care provider in order to reduce or eliminate a significant risk of serious bodily harm to the client or to another person or persons)
The external health care provider has provided us with written proof of the client’s express consent to the disclosure.
If the Agency is prevented from disclosing PHI relevant to the provision of care to an external health care provider because of a lockbox, the Agency has an obligation to notify the receiving health care provider that not all the relevant PHI has been provided. As a note, the receiving health care provider is then able to explore the matter of the “locked” information with the client and seek consent to have the locked information shared.

Audits

The Organization’s Privacy Officer or designate will conduct audits of locked health records to ensure compliance with client lockbox instructions and to determine whether there has been inappropriate access to locked information. Any apparent unauthorized access to locked information will be investigated.

Breach of Privacy

Unauthorized access by a Rebound Total Health team member to a client’s health record constitutes a breach of privacy and may result in disciplinary action up to and including termination of employment or contract.

If there is a lockbox on a client’s health record and a Rebound Total Health Team member is excluded from accessing the PHI, it is a considered a breach for that Rebound Total Health Team member to access the PHI without specific authorization from the Privacy Officer or designate or unless otherwise permitted or required by law to use or disclose the information (such as in an urgent situation in order to prevent a significant risk of serious bodily harm).

The Privacy Officer is obliged to notify any affected client(s) of a privacy breach and their rights and will do so in accordance with the requirements of PHIPA.

[1] It is possible that we hold PHI about individuals who are not clients or who are former clients, and the lockbox policy would apply equally to those individuals.

[2]“PHI” is broadly defined under PHIPA. In our context it will mainly relate to a client’s health record and we have used “health record” interchangeably with PHI throughout the policy. It is possible that the Agency holds other PHI about an individual outside the health record and the lockbox policy would apply equally to that information, wherever it resides.

[3] We refer throughout to “Rebound Total Health Team members” – but this policy applies to the Agency, the Agency’s staff, volunteers, students, researchers and vendors.

[4]An individual’s substitute decision-maker may also request a lockbox and such requests are processed in the same manner.