Chapter 4 – Collecting Personal Health Information
The general rule is that the individual must consent to the collection of his/her personal health information (either express or implied).
Custodians and their agents may only collect information indirectly (from a person other than a client or his/her substitute decision-maker) with the consent of the individual (or his/her substitute decision-maker, where relevant), or in other limited and specific situations.
For more complete information, you should also look at the following section of PHIPA: 36
Definitions and rules
What is collection?
You “collect” PHI when you gather, acquire, receive or obtain it, regardless of how, or from whom, you get it.
Collecting PHI from someone other than your client
You are allowed to collect PHI indirectly (from someone other than your client) if
- you have the consent of the client, or the client’s substitute decision-maker,
- you have the authority under PHIPA or another law to do so,
- a law permits or requires another person to disclose the PHI to you,
- the Information and Privacy Commissioner has said that you can (but so far, there have not been any Commissioner’s rulings that would allow this),
- you need the PHI in order to provide care to the client, but cannot get the information from the client either in a timely way or accurately, or
- you have the approval of a Research Ethics Board in limited situations related to research (this is usually done by teaching and other hospitals).
When can you not use PHI collected indirectly?
Even if you have collected PHI from a third party as allowed under PHIPA, there may still be limits on what you can do with that information once you have it. For example, a client has the right to instruct you not to use PHI if you collected it from someone else because you could not get timely or accurate information directly from the client in order to provide appropriate health care to the client. A second exception is where you collected the PHI with the client’s consent, and he/she is now withdrawing that consent. The client’s ability to shield this information is commonly referred to as the “lockbox,” although that word does not appear in PHIPA. [There will be more discussion of this in Chapter 6.]
What this means is that if the client tells you not to use PHI you collected from a third party (such as the client’s neighbour or friend) in order to provide health care to the client, you will have to accommodate that request. This could also mean having to shield the information from others at your agency, including members of the client’s health care team.
Questions and Answers
Q: A client’s family member often volunteers information about the client that his clinical team thinks is important. I know that in most cases, we have to keep the client’s information confidential, but is it okay to listen to what his family has to say?
A: You can collect PHI from anyone, if you have the client’s consent.
Otherwise, you need to consider whether one of the other exceptions applies. Do you have any legal authority to collect the PHI from someone else, for example, on a Form 1 under the Mental Health Act? Or, do you need the information in order to be able to care for this client? (AND you can’t get it directly from the client OR you have concerns about the client being willing or able to give you reasonably accurate and timely information?)
If either of those scenarios applies to your situation, you can collect PHI from the family member, or anyone else, without the client’s consent.
Given the amount of intake and referral that goes on in the community mental health and addictions fields, staff must be able to collect information that is clinically relevant. You should always remember that if you collected PHI on the basis that the client cannot or will not give you timely or accurate information, he/she is free to later instruct you not to use the information for the purpose for which you collected the PHI in this way. Further discussion of what is sometimes informally referred to as the “lockbox” in PHIPA is found in Chapter 6 of this Toolkit.
Q: A client’s neighbour called and told one of our therapists that the client has spent the last two weeks in jail but is now out. At the next therapy session, the client says he was away because of a family emergency.
Should the neighbour’s information be put in the notes?
Could this have an impact on the neighbour’s safety?
How should the therapist handle treating the client with confidential knowledge that is not ‘on the table’ in therapy?
A: Although the staff member did not ask for this information, it is still a collection of PHI under the Act.
In this case, the staff member did not have the client’s consent to collect the information, nor did it fall under most of the exceptions. For example, no other law allowed it, nor did the Information and Privacy Commissioner create a new rule to permit its collection.
The only exception that might apply is if the staff member believes that the fact that the client was in jail is relevant clinical information that could not be obtained accurately from the client, nor be obtained in a timely way.
Part of the philosophy behind PHIPA is that individuals have a right to control their PHI. However, staff cannot always anticipate what a family member or other third party may tell them about a client. The best approach may be to make every effort not to collect PHI indirectly from third parties. If and when it happens, document it, and be aware that the client could later instruct you not to use the information you collected from the neighbour (by invoking what is sometimes informally referred to as the “lockbox,” which will be discussed further in Chapter 6).
Once you have the information, it should be documented, particularly where the information is related to potential risk. The rules in PHIPA about a client’s right of access to his/her record of PHI also contain a number of exceptions, including where letting the client see the record could be harmful to the client’s treatment or recovery or would create a risk of harm to a third party; or the person who provided the information expected it to be kept confidential.