Protection of Personal Information
Notice of Purposes
As a private practice, Shoreline must abide by the Nova Scotian Personal Health Information Act (PHIA) and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). The purpose of PIPEDA and PHIA is to, "govern the collection, use, disclosure, retention, disposal and destruction of personal health information in a manner that recognizes both the right of individuals to protect their personal health information and the need of custodians to collect, use and disclose health information to provide, support, and manage health care." Practitioners in provinces with provincial legislation judged to be "substantively similar" to PIPEDA (including Nova Scotia) mostly refer to their provincial legislation (i.e., PHIA). Companies that provide software to health practices across the country (e.g., Zoom) refer to PIPEDA.
Shoreline's staff collect and use clients' personal health information to provide the clinical services that have been agreed to. This includes evaluation, analysis of data, treatment planning and analysis, and referral (with consent). This information is accessible to the responsible clinician(s) that the client is working with, including students in training (with consent). The Clinic Manager (Pamela Coulter) can access limited information for the purposes of billing, intake, and coordinating clinical services. Shoreline's clinicians sometimes discuss client's cases with each other. This may include discussion about differential diagnosis or when planning treatment. This collaborative approach is typical in health care settings and contributes to our ability to provide the best possible care to our clients.
Information is only disclosed to professionals outside of Shoreline with the direct consent of the client, their legal guardian, or substitute decision-maker. This may include a client's family doctor, psychologist, teacher, neurologist, ENT doctor, physiotherapist, or other professional. The purpose of disclosing the client's information would be to inform assessment and treatment and/or to collaborate. It may also include sharing information with the Workers Compensation Board of Nova Scotia (with consent).
Information is also collected and used for the purposes of obtaining payment for clinical services. This includes direct billing through Medavie Blue Cross and Green Shield.
Before Shoreline's staff may disclose a client's health information (e.g., to the client's doctor), the staff member responsible for the client's care must obtain their consent. Before Shoreline's staff may request information from another professional (e.g., a psycho-educational assessment) the staff member must also obtain the client's consent. For these purposes, Shoreline asks client's to document this consent on a "Consent for Obtaining/Disclosing Health Information" form. The use of an external agency's form is also acceptable (e.g., that used by the Halifax Regional Centre for Education). When it is reasonable, informed written consent may be provided by a client by email.
Protection of Health Information
Shoreline has practices in place to prevent the theft, loss, and unauthorized access of clients' personal health information.
Physical safeguards: Files are kept in our locked office and in a private and/or locked file cabinet. When files must be transported, they are carried in a locked bag or case. Electronic files are stored on password-protected encrypted external memory drives. Staff's computers must be password protected and have acceptable antivirus software installed. Documents containing identifying information and/or personal health information that must be discarded are shredded on site.
All staff, volunteers, and students are required to read our privacy policies and sign a confidentiality agreement. They are also required to submit a recent criminal record check with vulnerable sector check when they are on-boarded.
Electronic Health Information
Zoom for Healthcare: Shoreline's clinicians use a platform called Zoom for Healthcare for hosting video therapy sessions. It is the level of Zoom for healthcare settings in both the public and private sector in Canada. This software complies with the requirements set out in PIPEDA - the Canadian law governing the protection of private health information. Only clients' names are stored in Zoom for scheduling purposes. Clients are given a special link and must be admitted from a virtual waiting room by their clinician. This prevents unauthorized persons from accessing a client's session. More information: https://explore.zoom.us/en/healthcare/
QuickBooks: Shoreline uses Intuit QuickBooks Canada for bookkeeping. Clients' names and contact information are stored in QuickBooks. This software complies with the requirements set out in PHIA for private practice clinics. The servers are located in Canada. QuickBook's website: https://quickbooks.intuit.com/ca/
Proton Mail: Shoreline uses Proton Mail for email communication. It is an end-to-end encrypted email service based in Switzerland. Proton Mail's website: https://protonmail.com/
Selectcom: Shoreline's fax service is provided by Selectcom. They are a Canadian company and are PIPEDA compliant. Their servers are located in Canada. Selectcom's website: https://www.selectcom.ca/
Jane App: This is a Canadian clinic management system used by Shoreline. It is used for intake, scheduling, record keeping, and billing. It is compliant with PIPEDA. Jane App's website: https://jane.app/
Shoreline maintains cyber security insurance coverage for its activities and employees. This coverage would be used to protect clients in the event of a breach of electronic health information. Shoreline's risk of such a breach is low due to internal safeguards and the nature of our work.
Retention of Records Schedule
Shoreline retains clinical documentation for a minimum of 10 years (or 10 years after a child turns 18 years old) after the termination of clinical services. At this point, information can be securely destroyed, erased, or de-identified. Destruction must render the record completely and irreversibly destroyed. For example, paper records must cross-cut shred and the hard drive of electronic devices must be wiped.
If information was required for decision making (e.g., related to legal proceedings or determination of capacity), the documentation must be kept longer than 10 years if it would impact the client. Destruction of such records requires the approval of the Clinical Coordinator.
Clients' Rights and the Personal Health Information Act
Individuals can read and learn more about the Personal Health Information Act here: https://novascotia.ca/dhw/phia/public.asp
Clients have the right to:
request a copy or view their records
request corrections as appropriate
request a record of user activity for electronic health records
request that specific information not be shared with other providers
be advised of breaches of information
make complaints to the custodian (Pamela Coulter)
request a review by the Review Officer of the Privacy and Access Office (https://novascotia.ca/dhw/phia/contact.asp)
Contact and Complaints
If you have questions about how we protect clients' personal health information or wish to submit a complaint, contact Shoreline's custodian:
Pamela Coulter, M.Sc., SLP-Reg, SLP(C)