Virtual Health Care Policy

LAST UPDATED: May 21, 2024

Ontario’s health privacy law, the Personal Health Information Protection Act (“PHIPA”), provides individuals [1] with the right to make choices about, and control how, their personal health information (“PHI”) [2] is collected, used, and disclosed.

This policy governs the manner in which Albano Psychotherapy Professional Corporation, operating as Feelings First Counselling & Wellness, uses, maintains, and discloses PHI. This policy will also provide additional information about the safeguards we have implemented for safeguarding and protecting PHI in our possession, and our protocol in the event of a privacy breach.

Safeguards for Protection of PHI

Listed below are various safeguards that we have implemented to protect PHI in our possession and control. We regularly review these safeguards to ensure that we are doing all that we can to protect PHI. 

1. Technical safeguards:

  •  Only Feelings First Counselling & Wellness pre-approved email, messaging, or videoconferencing accounts, software, and related equipment that comply with industry standards are used. Feelings First Counselling & Wellness’ HIC and Agents are permitted to use only the @feelingsfirstwellness.ca and will have access to our EMR software system. Our HIC and Agents will limit email communication wherever possible. 

  • Our contractors will avoid the use of CC or BCC features when sending emails, as a means to avoid an accidental breach through accidental CC.

  • We utilize firewalls and protections against software threats. We encourage all of our contractors to implement adequate firewall and antivirus protection on their electronic devices. 

  • When accessing Feelings First Counselling & Wellness email, or access to our EMR software system, our team members will only use secure, password-protected internet or wifi. Our team members will not use public or insecure WIFI networks when accessing anything related to clients.

  • We regularly update our software applications with the latest security and anti-virus software. Our EMR software system has regular updates, and our team members are urged to regularly update their electronic devices.

  • We encrypt data on all mobile and portable storage devices, both in transit and at rest. All of our team members use encrypted electronic devices.

  • We maintain, monitor, and review audit logs. Our Privacy Officer conducts regular audits, keeps an up-to-date audit log. 

  • We use and maintain strong passwords. All electronically stored PHI in our possession and control is password protected.

  • We review and set default settings to the most privacy protective setting. Jane Settings are set for enhanced privacy and Agents are encouraged to adjust privacy settings on their electronic devices.

    2. Administrative safeguards: 

  • We ensure our team members are properly trained to use secure email, messaging, and video conferencing platforms. 

  • We ensure our team members are well aware of their ongoing obligation to avoid collecting, using or disclosing more PHI than is necessary 

  • We ensure confidentiality agreements contain explicit provisions dealing with our team members’ obligations when using secure email, messaging, or videoconferencing to deliver virtual health care

  • All email communication between our team members and clients is done through our own domain, and includes a confidentiality statement outlining the privileged nature of the information, intended only for the recipient, the process for destroying information should it be the incorrect recipient and lastly, that sensitive information should not be shared via email.

  • To minimize use of PHI, our team members use, wherever possible, client initials or their EMR software system ID instead of identifying information such as names, phone numbers etc. 

  • We recommend clients use a password-protected email address that only they can access.

    3. Physical safeguards:

  • We keep all technology containing PHI, such as desktop computers and servers, in a secure location. 

  • We keep portable devices containing PHI, such as smartphones, tablets, and laptops, in a secure location, such as a locked drawer or cabinet, when they are unattended. 

  • We restrict office access, use alarm systems, and lock rooms where equipment used to send, receive or store personal health information is kept.

  • We do not lend technology containing PHI to anyone without authorization.

  • We ensure there are no unauthorized persons in attendance or within hearing or viewing distance.

  • Any physical copy of PHI that is not electronically stored will be physically locked away when not in use.

    4. Additional safeguards for video conferencing 

  • As a best practice, our team members will join videoconferences from a private location using a secure internet connection. This includes using a closed, soundproof room or an otherwise quiet and private place and having window coverings where and as appropriate. We use headphones rather than the speaker on our devices to prevent being overheard by others, and we are mindful of where screens are positioned. 

  • Once logged into the videoconference, our team members check the meeting settings to ensure the meeting is secure from unauthorized participants. At the start of the video conference, our team members verify the identity of the client, inquire if anyone is accompanying the client, and confirm the client’s consent. 

  • When videoconferencing, our team members use sufficiently high-quality sound and resolution to ensure they are able to collect information (including verbal and non-verbal cues) that is as accurate and complete as is necessary for the purpose of providing health care.

Breach of Privacy

Unauthorized access by a Feelings First Counselling & Wellness Team member to a client’s health record constitutes a breach of privacy and may result in disciplinary action up to and including termination of employment or contract.

Privacy Breach Protocol

In the event that there is a privacy breach, Feelings First Counselling & Wellness has a comprehensive privacy breach protocol that involves four steps, generally outlined below.  It is our commitment to ensure that all PHI remains confidential and is collected, used, disclosed and disposed of properly to the best of our abilities, however; in the unlikely event that a privacy breach does occur, we will adhere to our privacy breach protocol to ensure a timely remediation of said breach.  

There is an obligation under PHIPA to notify affected individuals of a privacy breach (e.g. the theft, loss or unauthorized use or disclosure of personal health information) (ss. 12(2)). Custodians are also required to notify such individuals of their right to make a complaint to the Information and Privacy Commissioner.

If a privacy breach is suspected or known to have occurred, we will take the following actions:

Step 1:  Ensure our team members are informed of the breach. 

We will:

  • Notify all relevant team members of the breach, including our Privacy Officer and determine who else from within our organization who should be involved in addressing the breach,

  • Consider whether the Privacy Commissioner must or should be notified by reviewing the  Commissioner’s notification guidelines available at https://www.ipc.on.ca/wp-content/uploads/2019/09/2019-health-privacy-breach-notification-guidelines.pdf,

  • Prepare and maintain and formal report of all privacy breaches, and

  • Develop and execute a plan designed to contain the breach and execute those affected.

Step 2:  Contain the breach. 

We will:

  • Attempt to retrieve any physical documents containing PHI disclosed due to the breach,

  • Verify whether any copies of these documents were made, and attempt retrieve those copies,

  • Take steps to prevent any further unauthorized access to PHI stored electronically (e.g., restrict access, change passwords, temporarily shut down system).

Step 3: Notify affected individuals (consult with the HIC to decide who will inform). 

We will:

  • Consider the most appropriate way to notify affected individuals in light of the sensitivity of the information (e.g., by phone, in writing, at the next appointment),

  • Provide the contact information of our (Privacy Officer of HIC) in case affected individuals have further questions,

  • Inform all affected individuals if we have reported the breach to the IPC, and

  • Inform all affected individuals that they are entitled to make a complaint to the IPC and provide contact information for them to do so.

Step 4:  Our HIC will further Investigate and remediate the problem. 

  • An internal investigation will be conducted by our HIC,

  • A determination of what steps should be taken to prevent future breaches (e.g. changes to policies, additional safeguards required) will be made by our HIC,

  • We will report the results of the investigation to any relevant regulatory Colleges if appropriate or required, and

  • We will ensure our staff is appropriately trained to protect and save PHI and conduct further training if required. 

Record Retention Policy

In accordance with PHIPA, we ensure that any and all records are retained only for the period in which they are required to be retained (in accordance with regulatory colleges CRPO or OCSWSSW).  Following this retention period, we ensure any PHI is securely destroyed. 

We need to retain personal information for some time to ensure that we can answer any questions clients  might have about the services provided and for our own accountability to external regulatory bodies. However, in order to protect client privacy, we do not want to keep personal information for too long. We keep our client files for at least ten years from the date of the last client interaction or from the date the client turns 18.

We destroy paper files containing personal health information by cross-cut shredding. We destroy electronic information by deleting it in a manner that it cannot be restored. When hardware is discarded, we ensure that the hardware is physically destroyed or the data is erased or overwritten in a manner that the information cannot be recovered.

Access to Information by HIC and Agents

Full Access

At Feelings First Counselling & Wellness, the individual with full access to PHI is Kristen Albano, Registered Psychotherapist #11834. Kristen Albano is the dedicated Health information Custodian (HIC) and abides by strict confidentiality guidelines in adherence to PHIPA. While Kristen Albano has full access to PHI, she will not access client clinical notes unless absolutely necessary to do so to execute their duties as the HIC.

In the event that PHI is access by the HIC, a chart entry will be added to the client file which outlines the detail of the access including the following:    

  1. HIC Name

  2. Date & time of PHI access

  3. What was viewed, handled or modified on the client file.

The HIC is responsible for regularly auditing Logs of accidental access which can be requested by the information and Privacy Commissioner of Ontario.

Practitioner-Only Access

At Feelings First Counselling & Wellness, the individuals with practitioner-only access include subcontracted therapists and students.

Practitioner-only access on Jane Practice Management Software permits the Agent to only view or modify the client charts of their own clients. 

Practitioner-only access does not permit clinicians to view the client charts of other clinicians at Feelings First Counselling & Wellness. 

In the event that another clinicians chart notes are accidentally accessed, a chart entry will be added to the client file which outlines the detail of the access including the following:    

  1. Accessing Clinician Name, & HIC name

  2. Date & time of PHI access

  3. What was viewed, handled or modified on the client file

Administrative Level Access

At Feelings First Counselling & Wellness, the individuals with administrative-only access include Administrative &  Non-Clinical Contractors.

Administrative level access on Jane Practice Management Software  means that the individual will be prohibited from accessing any client clinical notes for any reason unless directed and given access by the HIC. Under this access level, any roles that require access to Jane Practice Management Software, including accessing client profiles, billing and/or appointment information will be kept to a minimum. 

In the event that another clinicians chart notes are accidentally accessed, a chart entry will be added to the client file which outlines the detail of the access including the following:    

  1. Accessing Clinician Name, & HIC name

  2. Date & time of PHI access

  3. What was viewed, handled or modified on the client file

Complaints

The identification of a Contact Person is required to allow for consistent and professional regulations regarding any internal complaints. This organization’s Contact Person is: Kristen Albano, Clinical Director and Owner. Upon receiving a complaint, Kristen will:

-    acknowledge receiving the complaint

-    gather pertinent information

-    interview parties involved

-    determine what action, if any, will be taken

-    communicate any decision to the complainant along with a summary of action

-    advise complainant of their right to pursue additional action through the Information and Privacy Commissioner of Ontario

Questions/Concerns

If you have questions or want to make a complaint about our privacy practices, please contact:

Kristen Albano at kristen@feelingsfirstwellness.ca


[1] It is possible that we hold PHI about individuals who are not clients or who are former clients, and PHIPA and the above policy would apply equally to those individuals.

[2] “PHI” is broadly defined under PHIPA. In our context it will mainly relate to a client’s health record and we have used “health record” interchangeably with PHI throughout the policy. It is possible that Feelings First Counselling & Wellness holds other PHI about an individual outside the health record and the lockbox policy would apply equally to that information, wherever it resides.

[3] We refer throughout to “Feelings First Counselling & Wellness Team members” – but this policy applies to Feelings First Counselling & Wellness, Feelings First Counselling & Wellness’ staff, volunteers, students, researchers and vendors.