March 28, 2023

Episode 5:

When Your Client Asks For a Copy of Their Therapy Record with Jean Eaton

In this episode, we have a guest on the show, Jean Eaton, Practice Privacy Expert. Jean shares with us how therapists and coaches can manage the release of information when it comes to a record disclosure request by a client or third-party.

Episode 5: When Your Client Asks for a Copy of Their Therapy Record with Jean Eaton

Show Notes

[1:03] Kayla: Welcome back to the Designer Practice Podcast. I’m your host Kayla Das. Today we have Jean Eaton, Practice Privacy Expert and Owner of Information Managers with us. Jean will be sharing with us how we, as therapists and coaches, manage the release of information when it comes to a record disclosure request by a client or third-party.

Hi Jean. Welcome to today’s episode, thanks for joining us today.

[1:30] Jean: Thank you, Kayla. I’m excited to be here today.

[1:34] Kayla: Great. And we’ve got a few months back through some mutual friends. I’ve had the pleasure to also be a guest on your podcast called The Practice Management Nuggets. So, if anybody wants to listen to her podcast, it’s amazing. I’ll let you share where our listeners can find your podcast.

[1:50] Jean: On all the big platforms. But you can always go directly to practicemanagementnuggets.live, and then you’ll get all the show notes and all the links.

[2:00] Kayla: Amazing. So, through our conversations today, we’re going to be discussing the struggles that some therapists go through when it comes to knowing which steps to take, when it comes to releasing information, especially when a client requests it. But we’ll also talk a little bit about when other people request it as well, like third parties. So, I’m excited that you’re going answer all these questions.

Before we dive in, Jean, please introduce yourself where you’re from, a little bit about who you are, who you work with, what your specialty is, all of that good stuff.

Meet Jean

[2:30] Jean: Thank you, Kayla. My name is Jean Eaton. I am the practical privacy coach and practice management mentor with information Managers. So, my independent consulting practice is right here in Edmonton, Alberta, and I provide consulting services across Canada. I’m a Certified Health Information Management Professional, which means that I am a CHIMP.

And as I CHIMP I have worked as a director of health records and hospitals across Canada. For the last 20 years I’ve focused my career working with independent healthcare providers. I’ve worked with medical, dental, chiro, physio therapists, consulting nurses in the healthcare space in Canada. So I have a lot of experience working with managing patient records, managing release of information requests, doing privacy impact assessments, privacy compliance, and helping people prepare for and be able to manage a privacy breach in their healthcare practices.

[3:31] Kayla: Wow. And that’s something that I know from personal experience. It’s something that I wish we knew a little bit more about as therapists. Now, of course, we have like ethics courses and things like that, but the actual practical information, which you’re going to share today is going to be so valuable.

So today we’re going to talk about records and how to manage client files. So, when it comes to obtaining client files, what are the client’s rights and what are the therapist’s obligations when it comes to providing records to a client?

Client’s Rights & Therapist’s Obligation

[4:03] Jean: Okay, so individuals, you and I and our patients have the right to privacy. So, we have the right to share what information that we feel comfortable sharing, and we get to decide who we want to share that information with. When a patient or a client to your business comes to your business and shares their information with you, then you as a therapist have the obligation to keep that information confidential and secure.

So, privacy is the right of the individual to selectively share what information they want to share about themselves to somebody else. As a therapist, as a business owner, you have an obligation to keep that information confidential, which means that you don’t share it with anybody else who doesn’t have a need to know that information.

You also keep that information secure. So, we talk about administrative, technical and physical safeguards so that we can take a really rounded 360-view about what information has patients provided to us, and now that we’ve collected it, we have the obligation to keep it secure.

So how are we going to implement good practices in our business to make sure that we are recognizing the information that’s been provided to us, that we’ve kept it secure whether it’s on paper or electronic. If we share or use other applications, how are they keeping that information secure? Because you’ve collected it, you have an obligation to ensure that it is safe and secure.

Case Note Retention Practices

And the other big piece is keeping it for the required retention. Colleges will recommend retention periods, but generally speaking it’s 10 years plus the age of majority, and that changes depending on your discipline and which province that you work in. But yeah, it’s a pretty good rule of thumb most of the time. So, when we think of maintaining records, what are some of the ways that a therapist can attain records? So, it’s really an important step of, as a business owner, as a therapist, to document where you collect patient’s information. So, if you’ve got a patient who comes to visit you in your office space, so face-to-face, physical location, you need to ensure that the way that you’re collecting that information is going to be secure.

So, you might do it on paper. Paper still works. It’s a perfectly valid business solution. You might decide that you want to collect that information using an app. Maybe you just use your computer and you use Word documents. It doesn’t go anywhere else. So, it stays in your office, but you have it digitally.

You might have an app that you use out of the cloud or something that you piece of software that you add that information in. So, practice management software like Jane or Health Quests or InTouch or a variety of other software systems. When you collect individually identifying information, you need to ensure that you have documented. You as a therapist, write it down as part of your business practices, where do you keep the information? So, do they book onto a paper calendar? On an electronic calendar, where exactly is it and what type of information is recorded? If you have pen and paper therapist notes, where do you keep that information secure?

So, you should have an inventory list. About each of the steps when you collect individual information from your patients and clients about where is it being recorded. So, we call those our databases, our data silos, and you want to know where that is because that will change over time. You might add some additional technology or some additional locations you might change from paper to technology or technology back to paper. And you want to keep an inventory that has some dates around it so that you can have that business, that corporate history about when you first got started, you did things on paper and that started from 2019 to 2022, and then you migrated everything to an electronic system. You need to keep that corporate history, that history of your patient records so that when somebody asks you for the information, you know exactly where to go to get that information.

[8:18] Kayla: That’s a really great point. And when we think of, say clients requesting files, what might be some reasons why they might ask a therapist to see their file or to have access to that file?

Reasons Why a Client Might Request a Copy of Their Therapy Record

[8:33] Jean: When we collect identifying information, we should let the individuals know that we’re keeping that information for the business purposes, for providing continuing care and treatment of that individual.

And, if there are any other purposes, you need to let them know about that as well. So, you might be doing it for third-party billing. Perhaps, you’ve got some other appropriate uses for that information. So, when you collect that information a patient can be curious. What did you actually write down there? I see you writing something. What did you put down there?

We should encourage our patients to ensure that they are checking about their patient records, their treatment records on a regular basis. Just like we should be looking at our credit card statements on a regular basis to ensure that it is accurate, that it’s complete, what people are writing about you. Which also means as a therapist, that you need to write your objective information on that and not some additional comments and interpretations and judgements that may not be appropriate.

Now if a patient wants to review their information for themselves, they want to ensure that it’s accurate and it’s correct. Because we know that when you have multiple records, you may have several people with the same name. It’s easy to get records mixed up. Family units from different cultures will have many people in the same family with the same name. It’s easy to get things mixed up. So, we want to make sure that we thought are accurate and complete.

If that information needs to be used for another purpose, the patient may want to look at that information before it gets released to somebody else. So, if they’re requesting additional insurance or financial support, they want to see the information before it goes to a third person. That’s totally valid. We want to be transparent with them and ensure that the information is as, as complete and as appropriate as possible.

The other thing is that when you are busily writing things down, you have a process. You might be going through a SOAP note about how you’re recording that information, but as the patient, as the individual, they really don’t have a sense about what you’re recording because they’re not therapists themselves.

So, it helps to build trust to feel comfortable being able to share that information because it’s their information. We want to make sure that they are comfortable with how you’re recording that information, that it’s accurate and it’s being used appropriately.

[11:01] Kayla: That’s a really good point. And when we think of case notes overall, sometimes it can feel like as a therapist that they are our notes because we are writing them. But they’re the client’s notes and they’re about the client, so they have full right and access to those notes.

[11:16] Jean: Yes.

[11:16] Kayla: So are there any additional considerations or steps that a therapist should take when a client requests a disclosure.

Conversation with Client About Release of Information

[11:25] Jean: I’d like to take a step back, Kayla, about the process, when we collect information. We should have a conversation with the individual about what information that we’re collecting and how is that going to be used. This is also the opportunity for the therapist to have a conversation with the patient about how they might want that information to be shared in the future.

So as an example, if you’ve got people that your family counselling for example, or somebody who’s coming to you because their family unit has had some crises, that’s an ideal time to have a conversation about who you are going to share that information with and who you are not going to share that information.

So, when you have those types of conversations right at the beginning, it makes it easier for you to make decisions about disclosure sometime down the future. So, if you’re very clear and the patients have what we call it, patient’s expressed wishes that I do not want my information shared with my spouse or my employer or anybody else that the patient wants. That should be recorded in your client record. That is top of mind is clear and is a permanent part of the record.

So, when the client comes to your services for the first time, they say, “I don’t want anybody to know that I was here.” You put that in the client note and then maybe a couple months later they say, “You know what? I’m feeling better about this. I’m feeling more confident about this. I do want this information shared with my spouse, but not with my children.” It doesn’t matter it’s not our right to decide for the patient who the information gets shared with, but it is our obligation to record what the patient’s expressed wishes, and then follow those expressed wishes.

[14:11] Kayla: I have a question that I know that some listeners would definitely be interested in too. When we think of, say, expressed wishes. What’s best practice to have things written down? Does it work someone just saying, “Hey, this is okay.” From a best practice perspective, what would that look like?

Best Practices for Third-Party Disclosure Requests with Client’s Expressed Consent

[14:32] Jean; Having a conversation with the individual and having the patient or the client say “I don’t want anybody to have access to this information.” Have a further conversation with them and say, what does anybody mean? Does it mean somebody in your family unit? Does it mean your family physician? Does it mean your insurance company? Tweak out those details because you know what they, that information might be used for. And the individual, when they first come to you, might not have a really clear understanding of what anybody would be. So, talking about it helps to provide that trust with the patient about how their information may or may not be used. And then you record that in the notes.

So, it doesn’t have to be that the patient has to write you a note in their handwriting. For you to put on the client record, you could, but it doesn’t have to be. That conversation is good enough, if you will if that’s your routine practice. And this is that litmus test is it reasonable in these circumstances and is this your routine practice? Is this your standard way that you do business?

So, most of the time, having a verbal conversation with the patient and then documenting it in your handwriting or in your keyboard is appropriate and is done on a regular basis in most businesses.

[15:50] Kayla: Perfect. That’s really helpful. So, what if a third party, so I know that many therapists worry about a lawyer or police officer or family member or another health practitioner. So, we think of any third party what considerations or steps should a therapist take when responding to, or even validating that a client is their client.

Considerations for Third-Party Disclosure Requests

[16:14] Jean: Okay, so a couple of background pieces. It depends a little bit on which legislation applies. So, if you are a registered nurse and you’re providing counselling services, then as a registered nurse in Alberta and most provinces across Canada, they must comply with the privacy legislation that applies to healthcare providers in private practice.

So, in Alberta it’s the Health Information Act. In Ontario, it’s the Personal Health Information Protection Act. And other provinces have different legislation, terminology. If you are a life’s coach, for example, you don’t fall under a regulated health profession, you still have privacy legislation that you need to follow.

And in most provinces, it’s called PIPA or PIPEDA. And if you need help figuring out which specific legislation applies to you in your province, send me a note and I’ll be happy to help you figure that piece out. But generally speaking, there are business privacy legislation and in private practice that you have to follow and you need to know whether or not you follow that legislation or if you need to follow the health regulation that follows the health regulated health professionals.

Assuming for our conversation that they’re all made the same. The easiest way to be able to provide information to somebody else is to have the patient consent to you that you can that. So, if it’s the patient wants you to share the information with the insurance company or their employer or their lawyer, having the patient saying, “Kayla, share this information with my lawyer.” Then you can go ahead and do that. Okay, so the patient’s direction is always going to be your trump card.

And as much as possible, you do want to have that in writing. And it doesn’t have to be on Kayla’s letterhead. The client can write it on their piece of paper to say, “I want this information to be sent to the lawyer for this purpose.” And as long as it is clear about what information specifically that they want the clinic notes from these date and times on this topic, then you can disclose.

Now, most of the time the patient or the client doesn’t really know what you wrote down, so it’s totally fair and valid and part of your responsibility as a therapist to review that information to make sure that it meets the desired outcome. That there is no conflicting information. And, of course, you have a responsibility to protect the identity of other persons.

So, if the clinic note talks about an aunt or a co-worker, then you might need to sever that information or blackline that information out. That gets really detailed. And I’m happy to talk about that later. But generally, if a patient says that they want this information to go to somebody else, and you have recorded that in writing and you follow what the patient has asked you to do, then that’s an appropriate disclosure.

If that information is required to a third-party because they’re in that circle of care or they’re providing additional health services to that individual, the legislation on this gets a little wonky. But again, if the patient says, I want this information to be sent to my family physician, if the patient says, do it, you can do.

If the family physician calls you up and says, “I understand one of my patients has come to see you. I’d like to be able to work with you about their mental counselling, or their family situation,” or a variety of other things and you haven’t talked with the patient yet, then things get a little bit more complicated.

[20:06] Kayla: No, that makes sense. I have a question because this has happened to me before and I’m sure it’s probably happened to some listeners. What if a police officer or a lawyer is say, looking for an individual and maybe there is no consent but they want to confirm that you had worked with them or that they had some information. What might be the best practice in that scenario.

Best Practices for Third-Party Disclosure Requests Without Client’s Expressed Consent

[20:31] Jean: Okay, so this does get more complicated but I’m going to try and give you the first steps to make it easier. The first question needs to be, is this required for an immediate safety concern? If you don’t get this information today, is somebody going to die?

Okay. And it’s that dire. Then in that case, you can be compelled to be able to provide a limited amount of information that will help to prevent that dire circumstance. Okay?

If it’s not that dire, then take a deep breath and make sure that you’ve got the right paperwork in place. And you are not required to provide that information by the end of the day. You are not required to provide it even by the end of next week. So, you’ve got time to take that sober second thought and make sure that you’ve got all of the checks in place.

If the individual has not provided you consent to be able to release that information to the police officer, then you need to make sure that you’ve got appropriate legal authorization before you release that information.

Now, I do have a checklist that will help you with that and I’ll give Kayla the link because it’s a rather long one but it’s a free download off of my website, how to prepare patient records for a court order in your healthcare practice.

[21:52] Kayla: To read Jean’s blog post, How to Prepare Patient Records for a Court Order in Your Healthcare Practice, check out kayladas.com/jeaneatonblog or scroll down to the show notes and click on the link.

[22:07] Jean: So, if you follow that link, then you’ll get access to the resource there to help you with that piece. So, if you don’t have patient’s authorization to share that information, there are steps that you need to determine the legal authorization. That checklist will help you with that.

And at that point, you need to call on a friend to help you determine that legal authority. I’m your friend, you can call me or you can call somebody else. But you do need to go through the steps, if the patient hasn’t provided that consent.

How to Manage a Conversation with a Third-Party Before Client Consent is Obtained

[22:35] Kayla: That’s a great point and something that I used to do when I was in the agencies, and I would love your feedback on this, is if a third party had called, say a lawyer, police officer, someone that I wasn’t able to connect with a client to determine everything was okay. I would say, “I cannot confirm or deny that this person that you’re requesting information about has ever been a client of mine.” And if they probed further, usually they always did. I would say, “If you believe that this person that you’re requesting information about was ever my client, you’ll need to obtain a written consent through a release of information form or obtain a subpoena before I could comment further.” So, what do you think about that?

[23:15] Jean: I’m delighted that you’ve got some prepared words to be able to respond to a request. Okay, so you’ve taken some due diligence. You’ve got something that you’ve scripted out, and that’s a great step. Personally, I probably wouldn’t be quite so formal, but what you’ve said is not wrong. Having something is far better than having nothing. And. The content is not wrong. So, if the patient hasn’t provided you the consent, you don’t want to share information even confirming that they have been a patient or a client with you before. So that’s totally the right approach. They can provide the patient’s consent. And so, you’ve opened up that opportunity. You’re not saying no, you’re just saying that there’s a process and there might be a fee associated with that. So that’s something else that you have to address.

And there is a legal process to be able to access that information, and it might be a subpoena, but there are other legal avenues that an individual could request. So, the person that is requesting has an obligation to know what their legal authority is to request that information. So, it might be child and family services. It might be under the Mental Health Act. It might be under the Guardianship Act. The person that’s making the request should know what their legal authority is to make that request. So, ask them. You don’t have to be the legal expert. You can ask them because that’s their job in that arena, whatever it is that they’re operating under. So, ask them specifically for that legal authority and to get the request and then you can follow up appropriately with them.

[24:49] Kayla: That’s really helpful. We talked a little bit about online documentation, but when it comes to say, online communication or documentation, that is really the go-to these days, how people communicate with clients, especially therapists who have virtual practices. So, are there any considerations when using technology or any best practices that therapists should take?

Considerations When Using Online Communication to Connect with Client

[25:14] Jean: There are a lot of considerations. So, you need to establish a risk assessment about what technology that you’re going to use. And one of the things that I see frequently is that the therapist, the healthcare provider will tell a patient, yeah, you can send me the email, but I’m not going to be responsible for it if somebody else reads it. And they try and transfer all of the risks to the patient. You’re not allowed to do that. And I’m going to give you an analogy.

So, we have an expectation of an individual who is a person of authority that they can make decisions on the behalf of somebody else. So, if you are walking down the street and a police officer says, “Hey, you, I need to see you. You come see me.”. And they’re a person of authority. We’ve been told that we must follow the instructions by that police officer. And if that police officer then subsequently says that there are actions in place then we can trust what they’ve said. So, in a similar way, if you are a healthcare provider, a therapist, and you are telling patients that you can send me an email but I’m not going to be responsible for it. You can’t do that. You can’t abdicate the trust of the position. You have to ensure that the patient, the client, understands the risks of having an email communication, how that information is going to be used, how it’s not going to be used, how somebody else could use it inappropriately. You can’t abdicate your responsibility to use technology because it’s convenient for you.

You have a responsibility to ensure that you’ve done a proper risk assessment, that you’re choosing good vendors who have good systems in place to keep that information secure. If you can’t do that, then don’t use that technology. So. when you are starting to consider having automated patient appointment reminders or using text technology or some other type of technology before you sign the contract with that vendor, you need to do your due diligence, the risk mitigation to make sure that that technology is secure. But then how you use the technology is also your responsibility. So, if you want to have a conversation with your patients by email, even if it’s just to confirm appointments, then when you collect the information about their email address, you need to let them know about how that email is going to be used, how it’s not going to be used.

Is it only going to be used to confirm your patient appointments and you’re not going to get marketing about this? Then you need to be very clear about how you’re going to use that information and don’t collect an email address that is not personal to the patient or the client.

You shouldn’t be collecting Jean at the City of Edmonton for receiving your patient appointment reminders because now you are disclosing that patient’s information to their employer. Even if that wasn’t the intention, if they’re using a work-related e email account, you are disclosing it to their employer and that will get you in hot water very quickly.

The other thing is that if you’re going to have this regular communication with the patient using the technology, whatever that technology is, you need to ensure that you have that record is part of something that you can retrieve. Something that you can manage and that will be maintained for retention record as all the rest of your records.

There are a lot of technologies that use patient portals for an example, and that could be a great way to securely send information to patients. They can pick it up later. It’s what we call asynchronous technology and it goes to a secure website. So, a lot of security is put in place, but you as the therapist, can’t download all of that transactional information when you decide to close that portal. Then you are essentially, giving up access to that patient’s record which is something that you are not allowed to do as a therapist. You’re, you’ve agreed that you’re going to keep it for the entire retention period.

So, when you are engaging with technology and new technology providers, you need to ensure that in the technology is secure and that you’re going to have continued access to it and be able to port it to a different type of technology should you terminate that contract. You just can’t leave information behind. You need to make sure that you have continued access to it.

[29:43] Kayla: This is fabulous information. Is there any additional insights or things that maybe you haven’t touched on today that would be really helpful practice nuggets for our therapists?

Jean’s Practice Management Nuggets

[29:55] You know your business better than anybody else. You know the types of questions that you get asked, the types of scenarios that happen. So, document those. So, you need to have written policies and procedures. You need to have a process. You need to be transparent with the patients and clients about that process. You need to do it consistently, and then you need to document when you get requests and when you are releasing information about how you do. That’s pivotal in any business. And you don’t have to be the master of all scenarios. Get really good about those 10 things that happen on a regular basis.

Make sure that’s really nice and tight and well-documented. And then that will be something that you can leverage when you get those unusual requests, which by the way, usually happen on the Friday afternoon of a long. Just saying

[30:45] Kayla: I agree.

[30:46] Jean: So, to be able to help you with that. I have a release of information checklist, so this is a resource that you can download and it will help you with some scenarios and will help you with some documentation and it will help you to record how you are managing and responding to the access and the disclosure request. So, we’ll prompt you with some key questions so that you can get the right answers. And then you’re going to keep that documentation as part of your client record to be able to clearly state this is how you got the request. This is how you processed it. This is where you looked for information. We looked in the portal, we looked in our paper records, we looked in our digital records, we looked in our email because information is often in more than one place. And this is what we responded. Make sure that you’ve got good policies and procedures about how you’re going to collect, use, and disclose information, including the fees that you might charge. Some places do charge fees, some don’t. But whatever you do in your business needs to be documented.

Free Release of Information and Disclosure Checklist

[31:48] Kayla: Amazing. And so, if you would like to download Jean’s free Release of Information and Disclosure Checklist, head to kayladas.com/jeaneatonchecklist or simply scroll down to the show notes and click on the link.

Thank you so much Jean, for joining us today and sharing with us such valuable information. If listeners have any privacy-related questions for you and want to reach out, how can they reach you?

[32:14] Jean: The easiest ways to reach out to me by email. So, you can contact me at jean@informationmanagers.ca with an s at the end, ca. I also encourage you to connect with me on LinkedIn, so send me a connection request on LinkedIn. Remind me where we met. I share a lot of resources, a lot of networking there on LinkedIn. So that’s a great place. That’s where I spend my social media time is on LinkedIn. And I’d be happy to give you a hand.

[32:42] Kayla: Thank you so much, Jean for spending time with us today and sharing these practice management nuggets with us.

And thank you everyone for tuning into today’s episode. Please don’t forget to download your free checklist and to read Jean’s blog post after you finish listening to this episode. Just a reminder the links for both are in the show notes below. Until next time. Bye for now.

Podcast Links

Jean’s Free Release of Information and Disclosure Checklist: kayladas.com/jeaneatonchecklist

Jean’s Blog Post How to Prepare Patient Records for a Court Order in Your Healthcare Practice kayladas.com/jeaneatonblog

Information Managers Pre-Made Practice Policy and Procedure Templates: kayladas.com/practice-policies

Use coupon code EVASPARE10 to receive 10% off policies and procedure templates.

 

Credits & Disclaimers

Music by ItsWatR from Pixabay

The Designer Practice Podcast and Evaspare Inc. has an affiliate and/or sponsorship relationship for advertisements in our podcast episodes. We receive commission or monetary compensation, at no extra cost to you, when you use our promotional codes and/or check out advertisement links.

Pin It on Pinterest

Share This