Virtual Health Care Policy

Last Updated: January 18, 2024

Introduction

Ontario’s Personal Health Information Protection Act (“PHIPA”) imposes obligations with respect to the collection, use, and disclosure of personal health information. This Virtual Health Care Policy (“ Policy”) governs the manner in which Barratt Psychotherapy Professional Corporation operating as Rebound Total Health collects, uses, maintains and discloses personal health information as outlined within our Policy herein.

Definitions

Definitions incorporated herein as per PHIPA

ipc.on.ca/wp-content/uploads/2015/11/ph…

Health Information Custodian”: PHIPA defines a custodian is a person or organization listed in PHIPA that, as a result of his, her or its power or duties or work set out in PHIPA, has custody or control of personal health information. At Rebound Total Health, Brittany Barratt operates as the Health Information Custodian.

Agent”: PHIPA defines an agent to include any person who is authorized by a custodian to perform services or activities in respect of personal health information on the custodian’s behalf and for the purposes of that custodian. At Rebound Total Health, our sub-contracted therapists, administrative team and students operate as Agents.

Personal Health Information” or “PHI” Personal health information is “identifying information” about an individual, whether oral or recorded if the information:

  • relates to the individual’s physical or mental condition, including family medical history,
  • relates to the provision of health care to the individual,
  • is a plan of service for the individual,
  • relates to payments, or eligibility for health care or for coverage for health care,
  • is the individual’s health number or
  • identifies a health care provider or a substitute decision-maker for the individual.”

Electronic Records”: Electronically stored documents that include client personal health information. Electronic Records are kept securely on the Jane software platform, which is a health practice management system licensed by Rebound Total Health. The Jane software platform is SOC-2 certified and utilizes 256-bit encryption. Additional information is available at the following link:
https://jane.app/features/security-and-reliability

Commitment to PHIPA

At Rebound Total Health, we, along with Barratt Psychotherapy Professional Corporation are dedicated to operating in adherence with PHIPA . This includes, but is not limited to:

  1. Ensuring that our client’s Personal Health Information is collected, used, disclosed and disposed of properly pursuant to best practices;
  2. Ensuring that our client’s Personal Health Information and electronic records remain confidential;
  3. Ensuring that Agents at Rebound Total Health are aware of and meet their responsibilities in adhering to PHIPA

In addition to adherance to PHIPA, as independent contractors, each Agent is responsible for ensuring their adherence to their respective Colleges’ rules of professional conduct.

Access to Information by HIC & Agents

Full Access

At Rebound Total Health the individual with full access to PHI is Brittany Barratt, Registered Psychotherapist #9464. Brittany is the dedicated Health information Custodian (HIC) and abides by strict confidentiality guidelines in adherence to PHIPA. While Brittany has full access to PHI, she will not access client clinical notes unless absolutely necessary to do so to execute her duties as the HIC.

In the event that PHI is access by the HIC, a chart entry will be added to the client file which outlines the detail of the access including the following:

  1. HIC Name
  2. Date & time of PHI access
  3. What was viewed, handled or modified on the client file.

The HIC is responsible for regularly auditing logs of any incidents of accidental access which can be requested by the information and Privacy Commissioner of Ontario.

Practitioner-Only Access

At Rebound Total Health the individuals with Practitioner-only Access (as defined below) include subcontracted therapists and students.

“Practitioner-only Access” means a user’s account access credentials on Jane Practice Management Software which permits the Agent to only view or modify the client charts of the Agent’s own clients. Practitioner-only Access does not permit the Agent to view the client charts of other Agents at Rebound Total Health.

In the event that another clinician’s chart notes are accidentally accessed, a chart entry will be added to the client file which outlines the detail of the access including the following:

  1. Accessing Clinician Name, & HIC name
  2. Date & time of PHI access
  3. What was viewed, handled or modified on the client file

Administrative Level Access

At Rebound Total Health the individuals with Administrative-Only Level Access (as defined below) include Administrative & Non-Clinical Contractors.

“Administrative-Only Level Access” means a user’s account access credentials on Jane Practice Management Software which prohibits the user from accessing any client clinical notes for any reason unless directed and given access by the HIC. Under this access level, any roles that require access to Jane Practice Management Software, including accessing client profiles, billing and/or appointment information will be kept to a minimum.

In the event that another clinicians chart notes are accidentally accessed, a chart entry will be added to the client file which outlines the detail of the access including the following:

  1. Accessing Clinician Name, & HIC name
  2. Date & time of PHI access
  3. What was viewed, handled or modified on the client file

Safeguards

Listed below are various safeguards that we have implemented to protect your PHI. We regularly review these safeguards to ensure that we are doing all that we can to protect your PHI.

ipc.on.ca/wp-content/uploads/2021/02/vi…

Technical safeguards:

  • We use only email, messaging, or videoconferencing accounts, software, and related equipment that is industry standard and pre-approved by Rebound Total Health. The HIC and Agents are required to use only the @reboundtotalhealth.ca email domain and JANE (EMR) software system. The HIC and Agents will limit email communication wherever possible.
  • Our HIC and agents avoid the use of CC or BCC features when sending emails, as a means to avoid accidental breach through accidental CC.
  • We use firewalls and protections against software threats are recommended for use by all Agents. Both the HIC and Agents are urged to implement adequate firewall and antivirus protection on their electronic devices.
  • When accessing email correspondence, or JANE (EMR), our team members will only use secure, password-protected internet or wifi. Clinicians will not use public or insecure WIFI networks when accessing anything related to clients.
  • We regularly update applications with the latest security and anti-virus software. JANE (EMR) regularly updates and both the HIC and Agents are urged to regularly update their electronic devices.
  • We encrypt data on all mobile and portable storage devices, both in transit and at rest. Both the HIC and Agents use encrypted devices.
  • We maintain, monitor, and review audit logs. The HIC conducts regular audits, keeps an up-to-date audit logs.
  • We use and maintain strong passwords. All electronically stored PHI is password protected.
  • We review and set default settings to the most privacy protective setting. Jane Settings are set for enhanced privacy and Agents are encouraged to adjust privacy settings on their electronic devices.

Administrative safeguards:

  • We ensure our team and other Agents are properly trained to use secure email, messaging, and video conferencing platforms.
  • We ensure our team and other Agents are well aware of their ongoing obligation to avoid collecting, using or disclosing more personal health information than is necessary.
  • We ensure confidentiality agreements contain explicit provisions dealing with team members’ and other Agents’ obligations when using secure email, messaging, or videoconferencing to deliver virtual health care
  • All email communication between the HIC or Agents and clients is done through the Rebound Domain and includes a confidentiality statement outlining the privileged nature of the information, intended only for the recipient, the process for destroying information should it be the incorrect recipient and lastly, that sensitive information should not be shared via email.
  • We limit the inclusion of sensitive information in written communication. In addition, to minimize use of PHI, the HIC and Agents use, wherever possible, client initials or their Jane Client I.D instead of identifying information such names, phone numbers etc.
  • • We recommend that clients use a password-protected email address that only they can access.

Physical safeguards:

  • We keep all technology containing Personal Health Information, such as desktop computers and servers, in a secure location .
  • We keep portable devices containing personal health information, such as smartphones, tablets, and laptops, in a secure location, such as a locked drawer or cabinet, when they are unattended.
  • We restrict office access, use alarm systems, and lock rooms where equipment used to send, receive or store personal health information is kept.
  • We do not lend technology containing Personal Health Information to anyone without authorization.
  • We ensure there are no unauthorized persons in attendance or within hearing or viewing distance.
  • Any physical copy of PHI that is not electronically stored is physically locked away when not in use.

Additional safeguards for video conferencing 

As a best practice, we recommend that both the custodian and the client should join videoconferences from a private location using a secure internet connection. This includes using a closed, soundproof room or an otherwise quiet and private place and having window coverings where and as appropriate. We recommend the use of headphones rather than the speaker on the device to prevent being overheard by others, and we recommend being mindful of where screens are positioned. 

Once logged into the videoconference, we recommend our team members should check the meeting settings to ensure the meeting is secure from unauthorized participants. At the start of an initial visit, we have our team members verify the identity of the client, and inquire if anyone is accompanying the client and confirm the consent of the client. When videoconferencing, our team members use sufficiently high-quality sound and video resolution to ensure they are able to collect information (including verbal and non-verbal cues) that is as accurate and complete as is necessary for the purpose of providing health care.

Withdrawal of Consent

ipc.on.ca/wp-content/uploads/resources/…

Clients reserve the right to withdraw their consent at any point. Should a client wish to withdraw their consent, our therapy services will be terminated. As per the Information and Privacy Commissioner of Ontario, we will make an entry into the chart logging the withdrawal. We will then discuss with the client details around ‘lock boxing’ their information, what this means for their care and their rights for the future.

Privacy Breach Protocol

In the event that there is a privacy breach, Rebound Total Health has a comprehensive privacy breach protocol that involves 4 steps, generally outlined below. It is our commitment to ensure that all PHI remains confidential and is collected, used, disclosed and disposed of properly to the best of our abilities, however; in the unlikely event that a privacy breach does occur, we will adhere to our privacy breach protocol to ensure a timely remediation of said breach.

We acknowledge that there is an obligation under PHIPA to notify affected individuals of a privacy breach (e.g. the theft, loss or unauthorized use or disclosure of personal health information) (ss. 12(2)). Custodians are also required to notify such individuals of their right to make a complaint to the Information and Privacy Commissioner.

If a privacy breach is suspected or known to have occurred, we will take the following actions:

Step 1: Ensure the Contact Person is informed of the breach

  • Notify all relevant team members of the breach, including the PHIPA contact person and determine who else from within our organization who should be involved in addressing the breach.
  • We will consider whether the Privacy Commissioner must or should be notified by reviewing these notification guidelines ipc.on.ca/wp-content/uploads/2019/09/20…
  • We will prepare a formal report as a record of all privacy breaches will be maintained.
  • We will develop and execute a plan designed to contain the breach.

Step 2: Contain the breach

  • We will attempt to retrieve any hard copies of Personal Health Information that have been disclosed.
  • We will verify whether any copies have been made, and attempt retrieve those copies.
  • We will take steps to prevent any further unauthorized access to electronic information (e.g., restrict access, change passwords, temporarily shut down system).

Step 3: Notify affected individuals (consult with HIC to decide who will inform)

  • We will consider the most appropriate way to notify affected individuals in light of the sensitivity of the information (e.g., by phone, in writing, at the next appointment).
  • We will provide the contact information of our HIC in case the individual has further questions.
  • We will inform all affected individuals if we have reported the breach to the IPC.
  • We will inform all affected individuals that they are entitled to make a complaint to the IPC and provide contact information for them to do so.

Step 4: HIC will further Investigate and remediate the problem

  • Our HIC will conduct an internal investigation.
  • Our HIC will make a determination what steps should be taken to prevent future breaches (e.g. changes to policies, additional safeguards required).
  • Our HIC will report the results of the investigation to the relevant regulatory College if appropriate or required
  • Our HIC will ensure our staff is appropriately trained and conduct further training if required.

Record Retention Policy

In accordance with PHIPA, we ensure that any and all records are retained only for the period in which they are required to be retained (in accordance with regulatory colleges CRPO or OCSWSSW). Following this retention period, we ensure any PHI is securely destroyed.

We need to retain personal information for some time to ensure that we can answer any questions clients might have about the services provided and for our own accountability to external regulatory bodies. However, in order to protect client privacy, we only keep our client files for at least ten years from the date of the last client interaction or from the date the client turns 18.

We destroy paper files containing Personal Health Information by cross-cut shredding. We destroy electronic information by deleting it in a manner that it cannot be restored. When hardware is discarded, we ensure that the hardware is physically destroyed or the data is erased or overwritten in a manner that the information cannot be recovered.

Complaints

The identification of a Contact Person is required to allow for consistent and professional regulations regarding any internal complaints. The Contact Person for Rebound Total Health is: Brittany Barratt, Clinical Director and Owner. Upon receiving a complaint our Clinical Director will:

  • acknowledge receipt of the complaint,
  • gather pertinent information,
  • interview parties involved,
  • determine what action, if any, will be taken,
  • communicate any decision to the complainant along with a summary of action, and
  • advise the complainant of their right to pursue additional action through the Information and Privacy Commissioner of Ontario.

Questions or Concerns?

If you have questions or want to make a complaint about our privacy practices, please contact:

Brittany Barratt
289-204-6393
inquiry@reboundtotalhealth.ca

This is addressed above under password protection

Signed: _____________________________________

Brittany Barratt, owner

Date: January 14th 2024

Scroll to Top