PHIPA – Privacy and Security Policy

PHIPA – Privacy and Security Policy


Pathstone Mental Health is a Health Information Custodian (HIC) and as such, we are, as an agency and as individual staff, required to take reasonable steps to safeguard the Personal Health Information (PHI) in our custody and under our control.


Pathstone Mental Health recognizes the importance of privacy and the sensitivity of personal health information.  Pathstone Mental Health has developed this Privacy Policy in accordance with PHIPA legislation to ensure that the personal health information of our clients is safeguarded and that clients and their families are made fully aware of our information practices.  PHIPA Legislation requires staff to adhere to each and every facet of the legislation. In addition, individual colleges, which cover a number of Pathstone staff, direct their members to fully comply with PHIPA and all other relevant legislation.  This means strict compliance to all rules under PHIPA are followed, when collecting, using, or disclosing PHI.


PHI is defined as identifying information about an individual in oral or recorded form, if the information:

  • relates to the physical or mental health of an individual, including information that consists of the health history of the individual’s family;
  • relates to the providing of health care to an individual, including the identification of a person as a provider of health care to an individual;
  • identifies an individual’s substitute decision-maker; or
  • Identifies an individual’s health card number.

PHI is collected about clients to facilitate and provide assessment and counselling/therapy services.  The information that we collect may include, for example, a client’s name, date of birth, address, health history, family history, records of visits to us and the care received during those visits.  We also collect background information with respect to our clients and their family members to the extent that it is relevant to the provision of treatment services.

By law and in accordance with professional standards, Pathstone Mental Health maintains a record of services to, and contacts with, all clients.

All HICs and individual agents within the HIC are required to:

  1. Have a Privacy Officer
  2. Develop privacy policies
  3. Implement parameters around health information which can or will be shared with other providers (i.e., locking the disclosure of specific facets of a file or record)
  4. Collect only the amount of PHI that is required to perform our services
  5. Ensure that only those parties that are providing service(s) have access to and knowledge of the individual file or record
  6. Notify individuals if their information has been shared with or without intent with any party other than the person(s) who is/are providing service(s)
  7. Ensure that all agents including staff, students, and volunteers are informed of their responsibility under PHIPA legislation.

Our Privacy and Security Policy is designed to support Pathstone Mental Health staff to understand their legal and professional obligations to maintain the confidentiality of individuals seeking service through our agency. It provides an overview of the confidentiality requirements set out under the Personal Health Information Protection Act, 2004 (PHIPA) and to outline other professional obligations related to client confidentiality within our professional scope of practice – counselling and therapy.

Given the complexities of the legal requirements, staff are reminded that whenever there is uncertainty, they are advised to contact their manager or the Agency’s Privacy Officer who could if needed contact our legal counsel or Privacy Commissioner of Ontario for further direction.


The terms noted below will appear throughout this policy and have the following legal definitions under section 4 of PHIPA:

PHI is subject to certain exceptions, means identifying information about an individual in oral or recorded form, if the information,

  1. relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family
  2. relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual, relates to payments or eligibility for health care in respect of the individual
  3. relates to the donation by the individual of any body part or bodily substance (research purposes)
  4. is the individual’s health number, or
  5. Identifies an individual’s substitute decision-maker.

Identifying information can be defined as information that identifies an individual or for which it is reasonably plausible in some circumstances that it could be utilized, either alone or with other information, to identify an individual.

Guiding Ethical Practice
  1. Pathstone Mental Health staff must act in accordance with all of their professional and legal obligations.
  2. To establish and preserve trust in the therapeutic relationship, our clients must be confident that their personal health information will remain confidential.
  3. Maintaining confidentiality is fundamental to providing the highest standard of care. It is noteworthy that individuals who have confidence that their information will remain confidential are more likely to provide the counsellors and therapists with complete and accurate health information, which in turn, leads to better treatment.
Collecting and Disclosing Information

Staff can only collect information that has direct influence on the mental health treatment of the client.

Staff may only disclose PHI:

  • When they have the patient’s or substitute decision-maker’s consent and it is necessary for a lawful purpose;
  • Where it is permitted under legislation, without the patient’s or substitute decision-maker’s consent; or
  • Where it is required by law

Staff require express or implied consent before disclosing personal health information.

Staff however, are entitled to assume that they have their client’s implied consent for the purposes of providing or assisting in providing health care, unless the staff disclosing the information is aware that the client has expressly withheld or withdrawn consent. This means that, without reason to believe otherwise, staff can share information with others involved within the client’s circle of care without asking for the client’s consent.

The patient’s express consent is required for providing their personal health information outside of the circle of care, except where otherwise directed by legislation.

Lock Boxes

The term “lock box” applies to situations where the client has expressly restricted their counsellor/therapist from disclosing specific personal health information to others – even to others involved in the patient’s circle of care.

Alternatively, if the lock box creates a situation where the staff believes that their client’s safety is at risk, they can refuse to provide treatment when it is not an emergency situation (crisis services could not refuse service). The staff refusing service should explain the reasons for their decision not to treat.

Standards and Practices:

Staff recognize that they will not share information about their clients with others inside or outside of the agency except for purposes of supervision, safety, and where directed by the client or permitted under the law.  All reasonable steps are implemented to protect client information by adhering to the principle of  Identifying information, which this policy has defined as information that identifies an individual or for which it is reasonably plausible in the some circumstances that it could be utilized, either alone or with other information, to identify an individual.

Therefore, in group supervision or case conceptualization discussions, a pseudonym and a false date of birth will be utilized. Although these steps will mitigate inappropriate disclosure, for a variety of reasons, it is recognized that it is almost impossible to safeguard everyone’s identity (e.g. individual returns to the program but is given a different staff).

When service is ended, the staff will have access to the file for three (3) weeks to ensure all proper documentation has been completed and authenticated.  Should a family contact the staff for a booster session or to gather information that staff will note expressed consent and will document all services and supports that were requested. It is not necessary to reopen the file.

Pathstone services are predicated upon providing optimal services in a compassionate manner and with authentic genuine regard for the client and as such, staff have a vested interest in the well-being of their clients even when the file is closed. This policy addresses issues related to health information. Therefore, should a client be referred to another program it is acceptable to ask staff in that program for general non-health information updates on the individual.  Further, if the client is seen while in the agency it is equally acceptable for staff to acknowledge and to speak with their former client.


To ensure compliance with this policy, Pathstone Clinical Managers will engage in periodic audits of our Client Information System and will prepare attestation twice a year, which will be in alignment with that of Clinical Connects.  The attestations will be forwarded to the Privacy Officer for review.

It is not appropriate to access a client’s mental health information unless you are currently providing service to that person, or assisting in the provision of care to that client. Inappropriate access or use will result in disciplinary action that may include the disabling of your user account, being reported to any regulated health professional college of which you may be a member, discipline up to and including termination and/or being reported to the Information and Privacy Commissioner/Ontario (IPC). This process may also subject you to legal action, fines, or penalties.

Should you have questions or concerns please contact Pathstone's Privacy Officer, Ulla Woodard (905)688-6850 x109