Virtual or In-Person at 522 King St East, Cambridge, Ontario, N3H 3N2

Encanta Counselling and Wellness

book now

Lockbox Policy

ENCANTA COUNSELLING AND WELLNESS LOCKBOX POLICY

Last Updated: July 26, 2024

Ontario’s health privacy law, the Personal Health Information Protection Act (“PHIPA”), provides individuals [1] with the right to make choices about, and control how, their personal health information (“PHI”) [2] is collected, used, and disclosed.

PHIPA gives clients the opportunity to restrict access to any or their entire PHI by one or more Encanta Counselling and Wellness Team members [3] or by external health care providers. Although the term “lockbox” is not found in PHIPA, lockbox is commonly used to refer to a client’s ability to withdraw or withhold their consent for the use or disclosure of their PHI for health care purposes.

The lockbox provisions of PHIPA are found in sections 37(1)(a), 38(1)(a), and 50(1)(e). The lockbox does not extend to other uses or disclosures that are permitted or required under PHIPA or other legislation.

This policy will help our Encanta Counselling and Wellness Team understand and fulfill their role in PHIPA compliance.

Lockbox

Lockboxes may affect clinical practice for the professionals providing health care at the Agency because access to information about clients may be restricted, and such professionals may be asked not to share PHI with other health professionals inside or outside of the Organization.

Requests for a Lockbox

Any current or former client of the Encanta Counselling and Wellness [4] may request a lockbox to restrict sharing of all or some of their PHI by one or more Encanta Counselling and Wellness Team members or by external health care providers.

When clients ask about lockboxes, it is important for Encanta Counselling and Wellness Team members to address their concerns about the confidentiality of their PHI. Note that some clients may want to control who can access their PHI, but may not know to use the term “lockbox.” Clients may want a lockbox when they use words such as “restrict,” “limit,” “don’t tell,” “exclude,” “shield,” or “block” when talking about their PHI. For example, clients may want a lockbox if they ask their health professional or other Team Member:

  • Not to tell their specialist that they are being treated at the Encanta Counselling and Wellness
  • To exclude certain of the Encanta Counselling and Wellness’s clinical staff from seeing their information
  • To “shield” their information
  • To “restrict” their health record
  • Not to let their family members or neighbours who work with the Encanta Counselling and Wellness look at their health record

Clients may initiate the process for a lockbox by contacting Encanta Counselling and Wellness’ Privacy Officer [or by speaking to their therapist]. Clients must submit their request for a lockbox in writing.

The Encanta Counselling and Wellness’s “Lockbox Policy should be given to clients who want more information. This policy discusses the purpose, implications, and limitations of implementing a lockbox.

Lockbox requests can vary considerably. A client may request that:

  • Only some of the documents in their health record be locked
  • All of their health record be locked
  • All documentation created in the future be locked
  • Only one Team Member be restricted from accessing PHI
  • Several Team Members be restricted from accessing PHI
  • All Team Members be restricted from accessing PHI
  • One or more external health care providers not be given their PHI

Although PHIPA does not require that the Agency lock documentation that does not yet exist, in practice, refusing to lock future documents may result in frequent lockbox requests to the Agency from a client if a lockbox will be requested every time a new document is created. For this reason, the Agency will, where appropriate and if requested, lock documents as they are created.

An example might be where a client requests a future lockbox because one of their family members (or former spouse or partner) is an Encanta Counselling and Wellness Team member.

  • When clients request a lockbox, it often means they have concerns about their PHI and how it is being used and/or disclosed. Clients should be reminded that:
  • Encanta Counselling and Wellness takes privacy seriously and keeps all PHI confidential and secure
  • PHI is only accessed by Team Members on a need-to-know basis
  • Encanta Counselling and Wellness conducts privacy audits regularly to ensure compliance with the policy
  • Where PHI is accessed without authorization, appropriate steps will be taken to prevent a recurrence and there would be disciplinary consequences
  • PHI is disclosed only to external health care providers with whom the client wants their PHI shared (unless the disclosure is otherwise permitted or required under PHIPA without consent or by another law)
  • Sometimes a client requests a lockbox when a lockbox is not necessary to resolve the client’s concern. For example, a lockbox is not necessary to restrict the sharing of PHI with non-health care providers (e.g., family, employers, insurers) because the Agency needs the client’s express consent (in writing, as documented by the Agency) to share information with such recipients (unless, for example, a family member acts as the client’s substitute decision-maker). If a client does not want the Agency to share information with non-health care providers – we will not do so unless there is legal authority to do so.

As another example, if clients disagree with the information in their health records, they can ask for a correction and/or append a statement of disagreement to the record. For that reason, they may not need a lockbox to solve their concerns about the accuracy of the information in their health record.

Implications of Implementing a Lockbox

If a client chooses to move forward with a lockbox request, it is important that they understand the possible implications of the lockbox. There may be implications and risks to the client and to their care. The Encanta Counselling and Wellness’ Privacy Officer or agent should discuss implications and risks with the client. Examples may include:

  • The client is not receiving the best possible service because health care providers may not have access to PHI that they need in order to provide the best possible care in a timely manner.
  • The client may have to undergo duplicate tests, procedures and/or health history questions, as applicable, if existing information is unavailable.
  • There may be circumstances where clinicians providing health care at the Agency cannot provide care in a manner that meets professional standards of practice if they do not have sufficient information. Such Clinicians may have to assess whether they can continue to provide care to a client if there is insufficient information. However, the decision to discontinue care to a client is a significant one and would only be made after thorough consideration of all the relevant information. Clinicians will try to maximize client choice about how their PHI is used and disclosed while at the same time allowing all of the Clinicians to uphold their commitments to deliver high-quality client care and to meet their obligations to their regulatory colleges.

There may be other risks specific to particular clients, which should be explored and discussed with clients directly.

Decisions to Implement a Lockbox

The Encanta Counselling and Wellness’ Privacy Officer or designate will review, respond to, implement, and administer lockbox requests (including on behalf of a Encanta Counselling and Wellness Team member, where applicable). Because the choice to implement a lockbox may have implications for the client’s care, if applicable, the client’s primary Encanta Counselling and Wellness Team member (e.g. counsellor) must be involved in processing the request as appropriate.

The practical methods of implementing lockboxes are varied; therefore, lockbox requests are considered on a case-by-case basis. A decision to implement a lockbox will be based on the practicality of the solution, technological feasibility, and the specific circumstances.

Encanta Counselling and Wellness’ Privacy Officer or designate will notify in a timely manner any client who made a lockbox request of the decision made in respect of the lockbox. If a decision has been to deny a lockbox request, the client will be informed of the right to make a complaint to the Information and Privacy Commissioner of Ontario.

Lockbox Exclusions

A lockbox is limited under PHIPA to those providing care to the client. It does not operate to prevent administrative functions from being carried out or the use or disclosure of PHI for other authorized purposes. For example, even where a lockbox is in place, it will not prevent the Agency from:

  • Obtaining or processing payments
  • Planning services,
  • Quality improvement,
  • Disposing of information,
  • Complying with a court order,
  • Litigation,
  • Research (with research ethics board approval),

The above actions are permitted under sections 37-50 of PHIPA.

A lockbox does not prevent an Encanta Counselling and Wellness’ Team member or Encanta Counselling and Wellness from using or disclosing PHI where there is a legal obligation to do so (for example, to fulfill mandatory reports to the Children’s Aid Society or to the Ontario Ministry of Transportation). The Encanta Counselling and Wellness and Encanta Counselling and Wellness’ Team members may also use or disclose PHI if there are reasonable grounds to believe that using or disclosing the information is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons. Lock boxing does not prevent the Agency from retaining records in adherence to the CRPO and/or OCSWSSW Guidelines, for the minimum retention period required. There may be other circumstances where the use or disclosure of PHI is required or permitted by law. Encanta Counselling and Wellness’ team members will consult with the Encanta Counselling and Wellness’ Privacy Officer when in doubt.

Identifying a Lockbox

Before reviewing a client’s PHI, Encanta Counselling and Wellness’ Team must always check to see if a lockbox has been applied.

The Encanta Counselling and Wellness’ team should be aware of how records are made subject to a lockbox and what a lockbox looks like.

Electronic Records:

If a client has implemented a lockbox:

A note will be added to the client’s chart, indicating the clients’ request for a lockbox

The HIC will confirm that only the HIC and the therapist (agent) have access to the client’s chart file in the agency’s EMR system, Jane. Other than the HIC and the therapist, the client’s chart file will not be viewable to any other team members.

If the lockbox applies to Encanta Counselling and Wellness Team members then the electronic system will restrict their access to that client’s PHI.

When the HIC or therapist (agent) attempts to view the client’s chart file, each entry in the chart file would have an additional title labeled “LOCK BOX” to make it apparent to all viewers that the information contained therein is lock boxed.

Paper Records:

At this time of policy creation, it is not Encanta Counselling and Wellness’ practice to retain paper records. In the event that Encanta Counselling and Wellness begins implementing paper records, the following steps will be taken in this case.

If the entire health record is subject to a lockbox, it will be in a sealed envelope (signed across the seal by a Privacy Officer or designate) with a label affixed to it that reads “Lockbox” and a “Lockbox Notification Alert” form will be apparent and will include a list of unauthorized or “locked” persons.

If a portion of the health record is subject to a lockbox, the relevant portion will be in a sealed envelope (signed across the seal by the Privacy Officer or designate) with a label affixed to it that reads “Lockbox” and a “Lockbox Notification Alert” form will be apparent and will include a list of unauthorized or “locked” persons.

“Breaking” the Lockbox

If an Encanta Counselling and Wellness Team member is authorized to access information that is otherwise “locked”, the following instructions explain how to access the PHI.

Electronic Record:

Only the HIC and the agent (therapist) would have access to the file. To “break” a lockbox, a Encanta Counselling and Wellness Team member that does not currently have access would need to request that the HIC have permissions changed to enable access to the client’s chart file. The HIC would only adjust the permissions if it was required to do so by PHIPA, to execute their duties of the HIC or only if this was otherwise permitted or required by law to use or disclose the information (such as in an urgent situation in order to prevent a significant risk of serious bodily harm). Only then would permissions be changed and access to the health record be made available to the team member.

Each entry in the chart file would have an additional title labelled “LOCK BOX” to make it apparent to the viewer that the information contained therein is lock boxed.

Paper Record:

At this time of policy creation, it is not Encanta Counselling and Wellness’ practice to retain paper records. In the event that Encanta Counselling and Wellness begins implementing paper records, the following steps will be taken in this case.

To “break” a lockbox, a Encanta Counselling and Wellness team member would open the sealed envelope and remove the paper records. Access to the health record is then available.

Any Encanta Counselling and Wellness Team member who accesses PHI that is protected by a lockbox must document on the client’s health record the reason and authorization for “breaking” the lock. All information subject to a lockbox will be monitored and there will be random audits of such files. If an Encanta Counselling and Wellness Team member is in doubt about whether they are legally permitted to break a lockbox, they should contact Encanta Counselling and Wellness’s Privacy Officer.

For paper health records, if the lockbox restrictions continue after the lock has been broken for a specific purpose, the PHI should be “locked” again in another sealed and signed envelope by the Privacy Officer or designate. The electronic record will continue with the assigned lockbox restrictions until they are removed.

Of course, a client may choose to withdraw a lockbox request or unlock PHI in a lockbox. That decision must be in writing and must be documented on the health record.

Notice to External Health Care Providers

If a client’s lockbox instructions state that the client does not want all or some PHI shared with an external health care provider, the Agency will not disclose PHI to the restricted external health care provider unless:

  • We are permitted or required by law to do so (for example, we need to disclose the PHI to the external health care provider in order to reduce or eliminate a significant risk of serious bodily harm to the client or to another person or persons)
  • The external health care provider has provided us with written proof of the client’s express consent to the disclosure.
  • If Encanta Counselling and Wellness is prevented from disclosing PHI relevant to the provision of care to an external health care provider because of a lockbox, the Agency has an obligation to notify the receiving health care provider that not all the relevant PHI has been provided. As a note, the receiving health care provider is then able to explore the matter of the “locked” information with the client and seek consent to have the locked information shared.

Audits

Encanta Counselling and Wellness’ Privacy Officer or designate will conduct audits of locked health records to ensure compliance with client lockbox instructions and to determine whether there has been inappropriate access to locked information. Any apparent unauthorized access to locked information will be investigated.

Breach of Privacy

Unauthorized access by a Encanta Counselling and Wellness Team member to a client’s health record constitutes a breach of privacy and may result in disciplinary action up to and including termination of employment or contract.

If there is a lockbox on a client’s health record a Encanta Counselling and Wellness Team member is excluded from accessing the PHI, it is a considered a breach for that Encanta Counselling and Wellness Team member to access the PHI without specific authorization from the Privacy Officer or designate or unless otherwise permitted or required by law to use or disclose the information (such as in an urgent situation in order to prevent a significant risk of serious bodily harm).

Encanta Counselling and Wellness’ Privacy Officer is obliged to notify any affected client(s) of a privacy breach and their rights and will do so in accordance with the requirements of PHIPA.

  • It is possible that we hold PHI about individuals who are not clients or who are former clients, and the lockbox policy would apply equally to those individuals.
  • “PHI” is broadly defined under PHIPA. In our context it will mainly relate to a client’s health record and we have used “health record” interchangeably with PHI throughout the policy. It is possible that Encanta Counselling and Wellness holds other PHI about an individual outside the health record and the lockbox policy would apply equally to that information, wherever it resides.
  • We refer throughout to “Encanta Counselling and Wellness Team members’” – but this policy applies to Encanta Counselling and Wellness, Encanta Counselling and Wellness’s staff, volunteers, students, researchers and vendors.
  • An individual’s substitute decision-maker may also request a lockbox and such requests are processed in the same manner.

Privacy Breach Protocol

In the event that there is a privacy breach, Encanta Counselling and Wellness has a comprehensive privacy breach protocol that involves 4 steps, generally outlined below. It is our commitment to ensure that your PHI remains confidential and is collected, used, disclosed and disposed of properly to the best of our abilities, however; in the unlikely event that a privacy breach does occur, we will adhere to our privacy breach protocol to ensure a timely remediation of said breach.

There is an obligation under PHIPA to notify affected individuals of a privacy breach (e.g. the theft, loss or unauthorized use or disclosure of personal health information) (ss. 12(2)). Custodians are also required to notify such individuals of their right to make a complaint to the Information and Privacy Commissioner.

If a privacy breach is suspected or known to have occurred, take the following action:

Step 1:  Ensure the Contact Person is informed of the breach

  • Notify all relevant team members of the breach, including the PHIPA contact person and determine who else from within the organization should be involved in addressing the breach
  • Consider whether the Commissioner must or should be notified by reviewing these notification guidelines
  • ipc.on.ca/wp-content/uploads/2019/09/20…
  • A report must be formally made as a record of all privacy breaches will be maintained.
  • Develop and execute a plan designed to contain the breach and execute those affected.

Step 2: Contain the breach

  • Retrieve hard copies of personal health information that have been disclosed
  • Ensure no copies have been made
  • Take steps to prevent unauthorized access to electronic information (e.g., restrict access, change passwords, temporarily shut down system)

Step 3: Notify affected individuals (consult with HIC to decide who will inform)

  • Consider the most appropriate way to notify affected individuals in light of the sensitivity of the information (e.g., by phone, in writing, at the next appointment)
  • Provide the organization’s contact information (HIC) in case the individual has further questions
  • inform all affected individuals if we have reported the breach to the IPC
  • inform all affected individuals that they are entitled to make a complaint to the IPC and provide contact information for them to do so,

Step 4: HIC will further Investigate and remediate the problem

  • Conduct an internal investigation
  • Determine what steps should be taken to prevent future breaches (e.g. changes to policies, additional safeguards required)
  • Report the results of the investigation to the relevant regulatory College if appropriate or required
  • Ensure staff is appropriately trained and conduct further training if required.

Record Retention Policy

In accordance with PHIPA, we ensure that any and all records are retained only for the period in which they are required to be retained (in accordance with regulatory colleges CRPO or OCSWSSW). Following this retention period, we ensure any PHI is securely destroyed.

We need to retain personal information for some time to ensure that we can answer any questions clients might have about the services provided and for our own accountability to external regulatory bodies. However, in order to protect client privacy, we do not want to keep personal information for too long. We keep our client files for at least ten years from the date of the last client interaction or from the date the client turns 18.

We destroy paper files containing personal health information by cross-cut shredding. We destroy electronic information by deleting it in a manner that it cannot be restored. When hardware is discarded, we ensure that the hardware is physically destroyed or the data is erased or overwritten in a manner that the information cannot be recovered.

Access to Information by HIC & Agents

Full Access

At Encanta Counselling and Wellness the individual with full access to PHI is Caroline Escobar Olivo, Registered Psychotherapist #12381. Caroline Escobar Olivo is the dedicated Health information Custodian (HIC) and abides by strict confidentiality guidelines in adherence to PHIPA. While Caroline Escobar Olivo has full access to PHI, she will not access client clinical notes unless absolutely necessary to do so to execute her duties as the HIC.

In the event that PHI is access by the HIC, a chart entry will be added to the client file which outlines the detail of the access including the following:

  1. HIC Name
  2. Date & time of PHI access
  3. What was viewed, handled or modified on the client file.

The HIC is responsible for regularly auditing Logs of accidental access which can be requested by the information and Privacy Commissioner of Ontario.

Practitioner-Only Access

At Encanta Counselling and Wellness the individuals with practitioner-only access include subcontracted therapists and students.

Practitioner-only access on Jane Practice Management Software permits the Agent to only view or modify the client charts of their own clients.

Practitioner-only access does not permit clinicians to view the client charts of other clinicians at Encanta Counselling and Wellness.

In the event that another clinician’s chart notes are accidentally accessed, a chart entry will be added to the client file which outlines the detail of the access including the following:

  1. Accessing Clinician Name, & HIC name
  2. Date & time of PHI access
  3. What was viewed, handled or modified on the client file

Administrative Level Access

At Encanta Counselling and Wellness the individuals with administrative-only access include Administrative & Non-Clinical Contractors.

Administrative level access on Jane Practice Management Software means that the individual will be prohibited from accessing any client clinical notes for any reason unless directed and given access by the HIC. Under this access level, any roles that require access to Jane Practice Management Software, including accessing client profiles, billing and/or appointment information will be kept to a minimum.

In the event that another clinician’s chart notes are accidentally accessed, a chart entry will be added to the client file which outlines the detail of the access including the following:

  1. Accessing Clinician Name, & HIC name
  2. Date & time of PHI access
  3. What was viewed, handled or modified on the client file

Complaints

The identification of a Contact Person is required to allow for consistent and professional regulations regarding any internal complaints. This organization’s Contact Person is: Caroline Escobar Olivo, Clinical Director and Owner. Upon receiving a complaint:

  • acknowledgement of receiving the complaint
  • gather pertinent information
  • interview parties involved
  • determine what action, if any, will be taken
  • communicate any decision to the complainant along with a summary of action
  • advise complainant of their right to pursue additional action through the Information and Privacy Commissioner of Ontario

Questions or Concerns?

If you have questions or want to make a complaint about our privacy practices, please contact: caroline@encanta.ca