Record Keeping FAQs

FAQs: Record Keeping—Clinical Records

• Can I include information collected by another health professional (for example, assessment findings)?

  Yes. You can include findings made by other health professionals or information reported by patients or substitute decision-makers. This information should be recorded accurately and include a reference to the source of the information.

• Why do I need to include advice or information provided by telephone or email?

  The specifics of telephone and email advice or information should be recorded when it relates to the patient’s condition or clinical care. Information relating to changes in symptoms, condition or treatment provided should be documented in order to understand the care that was provided and the impact. 
  
  For example, information from a patient who telephoned or emailed to report an exacerbation of symptoms when a new exercise was added to their home program and any advice given should be included. Information that does not relate to the patient’s condition or care, such as how to submit an insurance claim form or where to obtain recommended equipment, need not be documented. 

• What other reports or communication should be included?

  Every written report sent or received regarding the patient’s care is a component of the clinical record and should be included. Progress notes or discharge summaries sent to or received from another healthcare provider, insurer or payer etc.; copies or notes documenting other forms of communication (for example, telephone or email) relevant to the patient’s condition or the care provided are part of the clinical record. Patient education material, home programs, telephone and email advice, flow charts, etc. should be included.

• What if a patient asks me to not include something?

  Under the Personal Health Information Protection Act (PHIPA) patients are able to withhold or withdraw their consent for the collection, use or disclosure of their personal health information. Patients may provide express instructions to not use or disclose personal health information. These are known as lock-box provisions. Health Information Custodians (HICs) are required to respect the decisions of patients regarding how their health information is collected, used and disclosed. The Office of the Information and Privacy Commissioner of Ontario (IPC) has more information regarding lock-box obligations for HICs on their website.
  
  IPC Website
  

• Is an analysis statement, clinical impression or diagnosis required?

  Yes. Physiotherapists are expected to document a summary statement analyzing the assessment findings and determining a clinical impression or diagnosis. It is important for anyone accessing the record to understand not only the assessment and interventions but also how the two are related. 
  
  The analysis statement, clinical impression or diagnosis should be based on the assessment findings and identify the need for the physiotherapy intervention. 

• Do patient goals and outcomes need to be documented in the chart?

  Yes. The clinical record should include patient-centered goals, as well as objective measurement of outcomes achieved. How these goals and outcomes are recorded will vary based on situation and context. 

• How much detail should be included when documenting treatment?

  When documenting the care provided, you will want to include enough detail to allow other health care providers to understand the care that was provided and allow them to assume and continue to manage the patient’s care. 

• What information should be included in a discharge summary or end of care note?

  The details included in an end of care note or discharge summary will vary with the reasons for ending treatment. For example, if the treatment has ended because patient goals have been achieved, the discharge summary should include the patient’s status at discharge, the goals and outcomes that were attained and any recommendations for ongoing self-management. However, if treatment ends for reasons beyond the physiotherapist’s control, for example, the patient did not return for treatment, died or was transferred to another facility, a note outlining the circumstances may be sufficient.

• How often should an entry be made in the clinical record?

  The patient record should include evidence of every professional encounter. This can be managed with the use of an appointment or attendance log or workload measurement system as long as the information can be retrieved for each patient. You should be able to generate a list of attendances for each patient, rather than a list of patients for each day.
  
  An entry should be made in the clinical record every time a patient is re-assessed and every time there is a change in the interventions provided. The frequency for documenting such progress notes will depend upon the individual patient, the type of care provided and the need to ensure enough information is recorded to allow another healthcare provider to understand the care provided. Physiotherapists should use their professional judgment to determine appropriate frequency. 

• Why do I have to document missed or cancelled appointments?

  Documenting missed or cancelled appointments can provide important information. Examining the pattern of attendance and reasons for missed or cancelled appointments may provide insight into the patient’s condition and outcomes of care. For example, a patient with poorly controlled diabetes who frequently cancels appointments because of low blood sugar likely should be encouraged to follow up with their physician to ensure appropriate blood glucose control rather than merely be encouraged to attend more regularly. Attendance patterns and reasons for missed or cancelled appointments can also help determine the most appropriate physiotherapy interventions. For example, a patient who complains about lack of improvement but has cancelled 7 of the last 10 appointments will require a different intervention than a patient who is not progressing but has attended all scheduled appointments.

• Why do I have to document that consent was obtained?

  The Health Care Consent Act outlines the requirements for obtaining consent for all healthcare professionals. The College requires that physiotherapists also document that consent was obtained.
  
  Consent should be obtained and documented for assessment and treatment activities and for the involvement of assistants. You are required to follow the process outlined in the Health Care Consent Act and to document that you did so.
  
  You should use your professional judgment to determine the level of detail that should be documented. Visit the government of Ontario e-laws website to review the Health Care Consent Act at www.e-laws.gov.on.ca. 

• How often do I need to chart?

  Use your professional judgement. How often you document progress depends on the patient and the care provided. An entry should be made in the clinical record whenever there is significant change in the patient’s condition or treatment or when relevant new information is received. Make sure enough information is recorded to allow another health care provider to understand that care.
  
  

FAQs: Record Keeping—Confidentiality and Access

• What should I do if a patient or someone else wants access to a record?

  Patients should have an understanding of how their personal health information will be collected, used and disclosed and how they may access their health records. If a patient requests a copy of his or her record, a copy should be provided within a reasonable time period. A fee may be charged to recover costs, but should be reasonable.
  
  Patient consent is needed before releasing information to another person—except in certain circumstances. These circumstances and the responsibilities of health information custodians (HICs) related to the collection, use and disclosure of personal health information are outlined in the Personal Health Information Protection Act (PHIPA) available at www.e-laws.gov.on.ca.
  
  Resources are available on the College website at www.collegept.org and the Office of the Information and Privacy Commissioner of Ontario website at www.ipc.on.ca.

• Who should have access to the records?

  There are three groups of people who are able to access patient records without explicit 
  patient consent:
  

  - The patient or their authorized representative. Patients and anyone to whom they give consent should be able to access the record throughout the retention period.

  - The care providers within the "circle of care." Circle of care is not a defined term under the Personal Health Information Protection Act (PHIPA). It is a term used to describe Health Information Custodians (HICs) and authorized agents who are permitted to rely on an individual’s implied consent when collecting, using or disclosing personal health information to provide direct health care. For more information about circle of care, please visit the Office of the Information and Privacy Commissioner of Ontario website.

  - An authorized assessor or investigator from a College established under the Regulated Health Professions Act (RHPA). Authorized investigators, assessors or representatives of the College of Physiotherapists of Ontario, as well as authorized investigators from another College established under the RHPA are permitted to access patient records in order to fulfill their obligations under the RHPA.

• What steps should I take to ensure confidentiality?

  Records should be stored in a secure environment to safeguard their integrity and confidentiality. This applies equally to paper and electronic records. Reasonable measures should be implemented to protect health information from loss, theft, unauthorized access, use or disclosure and tampering including copying, modification or disposal.
  
  This includes all components of the patient record such as attendance records, sign in sheets and exercise programs. 
  
  Some examples include ensuring:
  
  

  - Physical security (locked file cabinets, restricted office access, office alarm systems)

  - Technological security (password protection, encryption, virus protection, firewalls)

  - Administrative controls (security clearances, access restrictions, staff training and confidentiality agreements)

• Can the patient ask to have their record changed?

  Yes. According to the Personal Health Information Protection Act (PHIPA), the patient has the right to identify anything within the record that may be inaccurate, incomplete or misleading and to request correction of the record.
  
  However, you need only make changes to a patient record if you have confirmed there was an error. There is no expectations for a physiotherapist's judgement to be modified unless based on new factual information.
  
  Visit the Office of the Information and Privacy Commissioner of Ontario website to learn more.
  
  
  

• Help! I lost a patient record...what should I do? What are my professional obligations?

  1. Find out who the health information custodian (HIC) is in your organization. If you are not the HIC for your clinic, report the loss to the HIC. Hospitals, primary care teams, long-term care homes, pharmacies and community agencies are all considered HICs.
  
  

  2. Once reasonable attempts have been made to locate the file, the HIC has a duty to notify the patient at the first ‘reasonable opportunity’ that the file has been lost.
  
  

  3. You and the HIC should determine whether the privacy policies and processes of the organization were followed.
  
  

  4. Next, the HIC must determine if this is a one time occurrence or if it is part of a pattern of errors, what the impact on the patient could be, and whether the loss of a record could happen again. Make note of the findings of the review.
  
  Not all privacy breaches need to be reported to the Information and Privacy Commissioner of Ontario. If the lost chart is a one time occurrence, was not intentional and not a pattern, the matter can be internally managed. Debrief the issues with your team. Share the lessons learned so that you can build a positive culture around privacy safeguards in your workplace.
  
  

  5. All professionals must be diligent in scanning, storing and transferring records. The HIC must ensure that there are policies and processes in place to protect patient’s health records and that all staff are aware of necessary steps to follow if there is a loss or breach of a patient’s information.

• What if someone other than a patient or their representative wants access to a chart?

  Patient consent is required before releasing information to another person – except in certain circumstances (for example, in an emergency). In some cases, consent must be expressly obtained and in other cases it can be implied or assumed. 

• When is express consent needed for release of personal health information?

  Express consent is required where personal health information is disclosed to a person who is not a health information custodian (such as a police officer) or it is disclosed for a purpose other than providing health care (for example, fundraising or marketing).

• When can you rely on implied consent?

  Implied consent means the patient's behaviour implies that they consent (for example, a patient rolls his shirt sleeve up and presents his arm for your examination or when a client answers questions about his or her health history on an intake form), or the situation is such that consent can be assumed (for example, to provide ongoing health care). 

  Health professionals can assume that they have an individual’s consent to collect, use or disclose personal health information for the provision of health care if the following conditions are met:

  • The information was received from the individual (or substitute decision-maker), or another health information custodian.

  • The information is collected, used or disclosed for the purpose of providing health care to the individual.

  • If information is being disclosed, it must only be disclosed to another health information custodian.

  • The individual has not withheld or withdrawn consent.

  This is commonly referred to as sharing personal health information within the circle of care.

• Are there any circumstances when you can release personal health information without consent?

  Consent is not required in the following circumstances:

  - In an emergency

  - If there is a significant risk of serious bodily harm

  - In the context of a legal proceeding if the custodian or agent is a party or witness

  - Records are released to a regulatory College (for example, in the context of an investigation of a complaint)

• Do I need written consent to disclose personal health information?

  No. Individuals may consent verbally. But you should document in the individual’s health record that verbal consent was obtained.

• What if a patient asks me to not record certain information? (The concept of a lock box.)

  Under the health privacy laws, patients can withhold or withdraw their consent to the collection, use or disclosure of their personal health information. They can also provide express instructions to not to use or disclose their personal health information (or put it in a lock box). This includes:

  - Not collecting, using or disclosing a particular item of information (for example, a diagnosis).

  - Not collecting, using or disclosing their entire health record.

  - Not disclosing any personal health information to a particular person or group.

  Although it is up to the patient to decide what (if any) personal health information to lock, and to whom the lock should apply, you should discuss with the patient how locking personal health information might affect their health care.
  
  IPC Lock Box Fact Sheet

• What are the steps to take in the event of a privacy breach or lost file?

  1. Report the breach to the Health Information Custodian (HIC).

  2. Follow the privacy breach protocol and attempt to locate the lost file or contain the privacy breach.

  3. The HIC must notify the patient of the privacy breach, the steps taken to contain the breach or locate the list file, and the fact that they may make a complaint to the Information and Privacy Commissioner of Ontario.

  4. You and the HIC should determine whether the privacy policies and processes of the organization were followed.

  5. Determine if this is a one-time occurrence or if it is part of a pattern of errors, what the impact on the patient could be, and whether the breach could happen again. 

  6. Document the findings of the review.

  7. Notify the Information and Privacy Commissioner of Ontario if the breach meets their reporting threshold. If the loss or breach is a one-time occurrence, was not intentional and not a pattern of errors, the matter can likely be internally managed.

  8. Debrief the issues with your team. Share the lessons learned so that you can build a positive culture around privacy safeguards in your workplace.

• What to do with patient records when retiring, selling, or leaving a practice?

  If you are the Health Information Custodian (HIC) you must can either retain the records and store (and later dispose of) them safely, or transfer custody of the records to a new HIC.  

  You must notify individuals when you are transferring their health records to a successor.
  
  IPC - Avoiding Abandoned Health Records

• Who is the Health Information Custodian (HIC) in a group practice?

  Group practices should have formal written agreements in place that identify the custodian and obligations of each person when there is a change in practice.

• Can I store patient records in the cloud?

  Yes, as long as you ensure appropriate safeguards are in place. Check out the resource below from the Information and Privacy Commissioner of Ontario and learn all about the privacy, security and compliance considerations. 
  
  IPC -Thinking About Clouds

• Can I use email to communicate with patients?

  Email offers many benefits, but it also poses risks to the privacy of individuals and to the security of personal health information. Before using email to communicate, you should evaluate the risks and take steps to ensure that personal health information is protected from theft, loss and unauthorized use or disclosure.
  
  IPC - Email Fact Sheet

• Do I need explicit consent to share information with a patient’s family doctor?

  You can rely on the patient’s implied consent if:

  • The information was received from the patient (or substitute decision-maker) or another health information custodian.

  • The information is collected, used or disclosed for the purpose of providing health care to the individual.

  • If information is being disclosed to another health information custodian.

  • The individual has not withheld or withdrawn consent.

• A PT employee accessed the wrong patient file but it was a one-off error. Do I as the clinic owner and the health information custodian (HIC) need to report the patient information breach?

  No, but it's a good learning opportunity for staff. As the designated Health Information Custodian (HIC) you must first determine that the loss or unauthorized use or disclosure of personal health information is significant after considering all relevant circumstances. You must consider whether the personal health information is sensitive, whether the loss or unauthorized use or disclosure involved a large volume of personal health information or many individuals’ personal health information and whether more than one HIC or agent was responsible. If you determine that the access was not intentional, significant or part of a pattern then a report does not have to be made.

  Remember that HICs are now required to report statistics relating to health privacy breaches annually to the Information and Privacy Commissioner of Ontario so keep a list of any potential privacy breaches. The online statistics submission website will be opened each year for health information custodians across Ontario to submit their statistics.

• Can I release patient records to police officers under the Missing Persons Act?

  Yes. The Missing Persons Act, 2018 came into effect on July 1, 2019, changing what information police can request or access when investigating missing persons in Ontario. The new power is designed to assist in cases where no criminal activity is suspected.

   

  Health care providers, including PTs, need to be aware of this new law as police officers may now make an urgent request for records (including health records) if they believe:

   

  1. You have relevant records

  2. The records would help locate a missing person

  3. Time is sensitive and the missing person would be harmed or the records destroyed if not produced immediately 

  The police request will specify the type of information sought and which information is needed to assist the police in locating the individual. In some circumstances, it may be appropriate to provide information orally.

   

  Important: A note should be made in the patient's record that the request was received, what information was provided, in what manner (oral, paper copy, etc.) and when.

• We use electronic health records at our clinic. Can a patient request an electronic copy of their health record? If so, what should I consider?

  Yes, a patient can request a copy of their electronic health record. If a patient requests a copy of his or her record, a copy should be provided within a reasonable time. A fee may be charged to recover costs but should be reasonable.  Ideally this fee should be included on the fee schedule at your clinic.

  Before using email to send a record, you should evaluate the risks and take steps to ensure that personal health information is protected from theft, loss and unauthorized use or disclosure. Custodians should use encryption for emails to and from patients that contain personal health information. This includes by encrypting or password-protecting document attachments and sharing passwords separately through a different channel or message. If the use of encryption is not feasible, custodians must determine if the use of unencrypted email is reasonable in the circumstances after considering all relevant factors, including the sensitivity of the information, the purpose of the transmission, and the urgency of the situation.
  
  (Please see IPC’s Fact Sheet: Communicating Personal Health Information by Email.)

  Practitioners should always consider whether it is necessary to store personal health information on a mobile device (such as a USB key) or whether an alternative, such as de-identifying the information or accessing the information through a secure remote connection, would suffice.  If it is necessary to store personal health information on a mobile device, the information must be secured using “strong encryption.” Password protection is not enough. 
  
  The Information and Privacy Commissioner of Ontario has stated that if personal health information on a mobile device is appropriately encrypted, the loss or theft of that device would not constitute a privacy breach.

FAQs: Record Keeping—Financial Records

• What information should be included in a financial record?

  The financial record should include the name of the patient and all care providers, including PTA’s, a description of the care, product or service that was provided, the date the service was provided, as well as the amount that was charged and received for the service.
  
  Read the Record Keeping Standard to learn more.

• Does the financial record need to be kept with the clinical record?

  No. The financial record may be kept separately from the clinical record. For example, the clinical record may be kept in paper format while the financial record is stored in electronic format. Keep in mind that the entire record should be retrievable for each patient during the entire retention period.

• Someone else completes and submits all the invoices, what should I be careful of?

  Having someone else, such as an employer, receptionist or billing clerk manage the business aspects of practice can be an efficient use of resources, but there are risks. You will want to analyze the risks associated with allowing someone else to complete invoices on your behalf and implement adequate safeguards.
  
  Remember, you are responsible for materials submitted on your behalf. If someone else is completing invoices on your behalf, you should be aware of the fees being charged for your services and have a system in place to monitor for accuracy.
  
  Written Process for Auditing Billing

• Did you know that the financial invoice and the sign-in sheet is considered to be a part of patient record? Why does this matter?

  Ask yourself if you are ever required to provide the entire patient record in the future (let’s say eight years from now, for example), could you access the full patient’s clinical records, the associated financial records and even copies of the sign-in sheet? 
  
  Being able to pull the entire patient record is something you might want to consider when you are storing files offsite or converting your files into a different format for example. 
  

   

  Personal Health Information Act
  Information and Privacy Commissioner of Ontario
  Recording Keeping Standard
  

FAQs: Record Keeping—General

• What is a Health Information Custodian (HIC)?

  A Health Information Custodian (HIC) is responsible for collecting, using and disclosing personal health information on behalf of patients. A HIC can be an individual PT or a person acting on behalf of a group of physiotherapists. Hospitals, primary care teams, long-term care homes, pharmacies and community agencies are all considered HICs. The Personal Health Information Protection Act, 2004 (PHIPA), sets out the rules for the collection, use and disclosure of health information and the responsibilities of the Health Information Custodian. 
  
  The HIC may have an “agent” that acts on their behalf with respect to personal health information. 
  
  Visit the website of the Office of the Information and Privacy Commissioner of Ontario to learn more about the roles and responsibilities of HICs and agents.
  
  PHIPA
  
  IPC Website
  

• Why is it important to identify the Health Information Custodian (HIC) in the patient record?

  Under the Personal Health Information Protection Act (PHIPA), physiotherapists can be either a Health Information Custodian (HIC) or an agent of a HIC. For example, a physiotherapist operating a solo practice would be the HIC, but a physiotherapist employed by a hospital (or other organization defined in PHIPA) would be an agent.
  
  The HIC is responsible for ensuring patients’ personal health information is collected, used, disclosed, stored and disposed of appropriately.
  
  In the solo provider and hospital examples, the HIC is defined by law. In other cases, there may be doubt as to who is acting as the HIC; for example, a physiotherapist working as an independent contractor, or working as an employee of a clinic or agency.
  
  In these examples, either party (the physiotherapist, clinic or agency) may act as the HIC. It is in everyone’s best interest to clarify and document in the patient record who is the HIC responsible for protecting patients’ health information.
  
  Physiotherapists who are not HICs but act as agents will want to ensure that both they and their patients will be able to access the health record even after care has ended.

• I work in an interprofessional team. What should we consider if we keep joint or combined records?

  Integrated patient records can facilitate communication, prevent duplication, enhance coordination and promote safe, quality care. The standards for record keeping remain the same when care is provided in a team environment.
  
  The record should document who provided care, when the care was provided, a rationale as to why the care was provided and the outcomes that were achieved. It is important to be able to determine who made which entry in the record.
  
  Team members will want to clarify who will act as the HIC and ensure that they and their patients will have access to the records even after care has ended. Other regulated health professionals will have similar but not identical requirements.
  
  Teams will need to work together to ensure each team member can meet their professional standards. 

• What should I consider when creating, storing and transmitting electronic information?

  The principles for managing personal health information and the expectations regarding record keeping are the same for paper and electronic records. However, there will be special considerations for each type of media. Some key considerations for electronic records include:
  
  Completeness—the entire record (clinical, financial and attendance information) should be retrievable and reproducible so that patients and other authorized individuals can access the information.
  
  Confidentiality—unauthorized access should be prevented; for example, by using password protection and/or encryption. This is particularly important when transmitting records electronically (such as by email), when storing patient information on portable devices (such as flash drives) or using technology in public places (such as tablets or smart phones).
  
  Audit trails—the date, time and identity of persons making an entry should be clear.
  When entries are changed, the original content should be preserved.
  Systems to prevent loss of information—data should be backed up and should remain retrievable throughout the retention period (for example, should technology change or become obsolete).
  
  Secure disposal—information should be completely purged or the hardware destroyed so that information cannot be retrieved rather than simply deleting files.
  
  The Canadian Alliance of Physiotherapy Regulators has a Guideline on the Collection, Maintenance, Transmission and Destruction of Electronic Health Information at www.alliancept.org. 
  
  The Office of the Information and Privacy Commissioner of Ontario website has information on safeguarding personal health information stored on electronic devices at www.ipc.on.ca.

• Why should I audit my records? How often should I audit?

  Taking time to review what and how you document and evaluate your record keeping practices against professional, legal and employer obligations, is an important activity for quality practice. Tools are available on the College website to help with auditing clinical and financial records. Set a reasonable time frame to regularly review records.
  
  The frequency will depend on your practice environment, how quickly practices change and whether there are other systems of checks and balances in place to help you feel confident that clinical and financial records meet standards. 
  
  Record Keeping Checklist
  

• What should I consider when using abbreviations, care maps, exercise flow sheets, charting by exception or other time-saving documentation tools?

  Think about the people who will read the information, and consider if the information you have provided is enough to completely understand the care given. Tools that promote standardization and efficiency should include enough information so that individuals who access the record can understand the care that was provided.
  
  Often that will mean including a copy of the care map or charting by exception tool. Abbreviations are acceptable to use in patient records. The College does not have a set list of abbreviations for PTs to use, but does advise that when using abbreviations, it’s best to spell out the word or term in full the first time it’s used and then use abbreviations afterwards. Some organizations keep a list of common abbreviations that can be referenced.
  
  When documents are referenced that are not part of the patient record it should be made clear where and how the reference document can be obtained. 

• What does it mean to be able to uniquely identify individuals?

  In any healthcare setting, there will be patients with the same or similar names. It is important to ensure that health information is linked to the correct person.
  
  A system that distinguishes or uniquely identifies patients (and providers) with the same or similar names should be used on all parts of the physiotherapy record including attendance, financial and clinical records.
  
  Using patient name together with a birth date or using a file number that relates to and identifies a single patient (also called a unique identifier) are examples of such systems. Care providers should also be uniquely identified.

• Do I need to sign my full name and title every time I make an entry?

  When making an entry in the health record it is important to be able to identify who made the entry in the record. Your full name and title should be documented at least once in the record.
  
  For subsequent entries, an abbreviated version can be appropriate as long as the entry can be linked back to you.
  
  When multiple care providers who share the same initials are making entries in the health record, the use of initials alone does not identify who made the entry and another method of signing the record is needed. 

• What should I consider when using an electronic signature or signature stamp?

  You are responsible for materials bearing your signature. You will want to analyze the risks associated with allowing another individual to apply your signature (either electronically or with a stamp) and implement adequate safeguards to prevent unauthorized use. Signatures should never be applied to documents in advance and you will want to review all materials that bear your signature.

• What information should be documented about the care assigned to physiotherapist assistants?

  When assigning care to physiotherapist assistants, you should refer to the Working with Physiotherapist Assistants Standard on the College website. 
  
  When documenting care assigned to support personnel or assistants, you will want to include a description of the care assigned, the frequency and time frame during which care is to be performed and that appropriate consent was obtained for the involvement of a support person or assistant.
  
  The patient should be aware of the name(s) of the physiotherapist assistants who will provide care, and PTs must ensure that the physiotherapist assistant’s name and job title appear on invoices whenever they have provided all or part of the treatment.

• What information should physiotherapist assistant document? Do I need to co-sign entries?

  Having physiotherapist assistants document the care that they provided can be an efficient and appropriate use of resources.
  
  To ensure that records maintained by physiotherapist assistants meet standards, you will want to determine the knowledge and skill level of the physiotherapist assistant, provide appropriate support and training, and audit performance from time to time.
  
  You are not required to co-sign entries recorded by physiotherapist assistants.

• How should I correct errors or make changes to an entry?

  Changing a record to reflect a new perspective or new information is permissible as long as the original content can still be read. Corrections can be made either by striking out the incorrect information in a way that does not destroy the information or by labelling the information as incorrect.
  
  The correct or new information can then be added to the record making sure to identify the date the change is made, the person making the change and the reason for the change. 

• I am retiring or changing jobs; what should I do with the patient records?

  If you are the Health Information Custodian (HIC), you are responsible for the collection, use, disclosure, storage, disposal and privacy of patients’ personal health information.
  
  If you are an agent of the HIC, you will want to ensure that the HIC will maintain the records as required under the Personal Health Information Protection Act (PHIPA) and that you and your patients will be granted access even after you have left the workplace.
  
  When retiring or changing practice location, a  retiring PT should make sure patient records are stored in a place that is safe and secure. Retiring PTs should also have a plan of how patients will be able to access the records if they need to. You may choose to relocate the records to a storage facility or transfer the records to another HIC.
  
  The Office of the Information and Privacy Commissioner of Ontario website has information on the responsibilities of HICs related to storing personal health information at www.ipc.on.ca.

• Should I audit my records?

  Yes, periodically reviewing your records is a good way to ensure they meet College requirements.

  Before you sign each patient entry, you should check the accuracy of the note.

  Additional reviews, to check the overall quality of charts should look at what and how you document and to evaluate record keeping practices against professional, legal and employer obligations (a checklist to help you is available on the College website). If possible, ask a peer to review your records as they may be more objective.  The frequency of reviews should depend on your practice environment, how quickly practices change and whether there are other systems of checks and balances in place to help you feel confident that clinical and financial records meet standards.
  
  

• What is a lock box?

  A “lock-box” is not a thing but rather a concept or term used to describe the right of patients to withhold or withdraw their consent to the collection, use or disclosure of their personal health information. Individuals may expressly instruct you to not use or disclose their personal health information for health care purposes.

  They could tell you to:

  • not collect, use or disclose a particular item of personal health information, such as a specific diagnosis, for health care purposes, 
  • not to collect, use or disclose the contents of their entire record of personal health information, or
  • not to use or disclose their personal health information to a particular individual or group.

  A patient cannot stop you from recording personal health information that is required by law or by College Standards. But once a patient locks personal health information, you cannot use or disclose the information, unless the individual provides express consent, or unless the law allows you to disclose the locked personal health information (for example, in an emergency).

  If you later need to share information about the patient with another health care provider, and you don't have the patient's consent to disclose all the personal health information you feel is necessary, you must notify the receiving health care provider of that fact (i.e., that there is information being withheld at the patient's request - but not the information itself). The receiving provider would then be able to explore the matter of the locked personal health information with the patient and seek their express consent to access the locked information.  
  
  Here is a link to a Fact Sheet put out by the Office of the Information and Privacy Commissioner of Ontario

• How should I reference documents that are not part of the patient record?

  Any document mentioned in a patient’s record needs to be easily accessible by anyone who may need to refer to the information. PTs must also make note of where the document(s) can be found.
  

• My patient has asked for a copy of their patient record. How much can I charge for providing a photocopy?

  As custodians of patients’ personal health information, health professionals are required to provide a copy within 30 days of the request. The fee should cover administrative costs but it should not be cost prohibitive to the patient.
  
  Note:
  Please review the Record Keeping Standard and visit the office of the Information and Privacy Commissioner of Ontario (IPC) website at www.ipc.on.ca for more information about access to personal health information.
  
  Adapted from the IPC website:
  
  

  1. You may charge a fee not exceeding reasonable cost recovery for providing access to an individual’s record of personal health information. 
  2. Before charging a fee, the Personal Health Information Protection Act (PHIPA) requires you to first provide the individual with a fee estimate.
  3. There is currently no regulation that sets the fee amount for providing access to an individual’s records of personal health information.

  However, Health Order HO-009 (2010) interpreted reasonable cost recovery and found that a custodian may charge a fee of $30 for photocopying or printing the first 20 pages of a record and 25 cents per page for every additional page. This $30 fee includes additional activities, for example, locating and retrieving the record, reviewing the contents of the record for not more than 15 minutes and preparing a response letter to the individual.
  
  IPC Website

  
  
   
  
  

• What information should be included in a discharge summary or end of care note?

  The details included in a discharge summary or end of care note will vary with the reasons for ending treatment. For example, if the treatment has ended because patient goals have been achieved, the discharge summary should include the patient’s status at discharge, the goals and outcomes that were attained and any recommendations for ongoing self-management. However, if treatment ends for reasons beyond the physiotherapist’s control, for example, the patient did not return for treatment, died or was transferred to another facility, a note outlining the circumstances may be sufficient.
  
  
  

• How should my title appear on a business card or correspondence?

  The official title is Physiotherapist, Physical Therapist, PT, or the equivalent in another language. For more information, see the Restricted Titles, Credentials, and Specialty Designations Standard.

FAQs: Record Keeping—Storage, Retention and Disposal of Records

• Can the clinical record be a combination of paper and electronic data?

  Yes. A clinical record can be a combination of paper and electronic data. However, it is important to cross-reference each component to ensure clarity of the total record and where the most up-to-date information may be found.
  
  The record should be safely stored and retrievable over the retention period regardless of the type of technology used. Attention should be paid to the risks associated with each storage medium and systems implemented to identify and address these risks. 

• If a record is converted from paper to an electronic format does the original paper copy need to be kept?

  No. There is no need to maintain a duplicate copy when paper records are converted to an electronic format as long as a complete clinical record can be accessed.

• What should I consider when storing the record in a patient’s home or other facility?

  The Personal Health Information Protection Act (PHIPA) allows records to be kept at a patient’s residence (including an institutional residence) if certain conditions are met. Visit the Office of the Information and Privacy Commissioner of Ontario website at www.ipc.on.ca to learn more.

• Can portions of the record be kept separately?

  Yes. Portions of the record can be kept in separate locations. However, it is important to cross-reference each portion to ensure understanding of all the portions that make up a complete record and where the most up-to-date information may be found.

• How should records be stored when they are no longer active?

  Active or not, records must always be stored securely. When storing records in the clinic, at your home, at a third party storage facility or using cloud-based services, appropriate safeguards should be taken to prevent loss, theft, damage and unauthorized access. Patients should be made aware of how they may access their records if needed. 

• How long should records be kept?

  Clinical and financial records must be retained for at least 10 years from the later of the following two dates: 

  • the date of the last patient encounter, or
  • the date that the patient reached, or would have reached 18 years of age.

  Equipment records should be kept for 5 years.
  

   

  
  

• How should I dispose of records?

  When disposing of personal health information at the end of the retention period, you will want to be sure that information is permanently destroyed in a secure manner. This applies equally to paper and electronic records.
  
  Paper records should be physically destroyed before being disposed of or recycled to protect the privacy of patients. Electronic records should be physically destroyed, erased or purged in an irreversible manner that ensures that the information cannot be reconstructed in any way. 

• What are the obligations of the Health Information Custodian (HIC) when a patient file is lost or stolen?

  You are required to:

  • Keep records of all breaches.
  • Determine if the information is significant after considering all relevant circumstances, including whether the personal health information is sensitive, whether the loss or unauthorized use or disclosure involved a large volume of personal health information or involved many individuals’ personal health information.
  • Be prepared to report significant privacy breaches to the commissioner under Personal Health Information Protections Act 2004 (PHIPA).
  • As of March 1, 2019, health information custodians will also be required to provide an annual report to the Information and Privacy Commissioner setting out the number of times in the preceding calendar year, personal health information in the health information custodian’s custody or control was stolen, lost, used without authority, and/or disclosed without authority. For custodians to prepare for this reporting requirement, they must start tracking their privacy breach statistics as of January 1, 2018.
    
     

  Privacy resources: 
  
  Information and Privacy Commissioner of Ontario

  Personal Health Information Protections Act 2004 

  Personal Information Protection and Electronic Documents Act 
  
  IPC Health Privacy Breach Notification Guidelines