ONTARIO, CANADA ONLY: Lockbox

Tia Low
Tia Low
  • Updated

The "lockbox" concept in Ontario refers to a patient's ability to withdraw or withhold consent to the use, or disclosure of, their private health information for healthcare purposes.

Ontario's health privacy law, the Personal Health Information Protection Act ("PHIPA"), provides individuals the right to choose and control how their personal health information is collected, used, and disclosed. 

The lockbox provisions within PHIPA are found in sections 17(1)(a), 38(1)(a), and 50(1)(e). The lockbox does not extend to other uses or disclosures permitted or required under PHIPA or other legislation.

Lockbox requirements

Features are available within ACC to satisfy each of these lockbox requirements: 

Capture the level of consent directive provided by the patient

You can create a workflow for the client to fill out a form with their consent directive information. The details they submit in that form will flow into their profile in the Demographics section. 

1. Create two Form Context Fields (Settings > Form Context > Add Attribute) that will appear under the client profile, one for the consent directive options and another for an explanation. 

(1a) Create a Form Context Field that provides a dropdown list for consent directive options. You may wish to write and display the options as suggested below. 

Form Context Field option Consent directive
Not applicable  
Not to collect, use or disclose a particular item of information. Not to collect, use, or disclose a particular item of information contained in their record of personal health information, for example, a particular diagnosis.
Not to collect, use or disclose the contents of their entire record of personal health information. Not to collect, use, or disclose the contents of their entire record of personal health information. 
Not to disclose their personal health information to a particular health information custodian. Not to disclose their personal health information to a particular health information custodian, a particular agent of a health information custodian, or a class of health information custodians or agents (for example, physicians, nurses, or social workers).
Not to enable a particular health information custodian to use their personal health information. Not to enable a particular health information custodian, a particular agent of a health information custodian, or a class of health information custodians or agents (for example, physicians, nurses or social workers), to use their personal health information.
Lockbox Shield all information from certain people.

consentdirectivefield-adminview.png

Above: Adding a Form Context Field for the consent directive options under Settings > Form Context > Add Attribute.

 

consentdirectivefield-clientview.png

Above: View of the consent directive field under client profile > Client Info > Demographics.

(1b) Create a Form Context Field for the consent directive explanation.

consent directive explanation - admin view.png

Above: Adding a Form Context Field for the consent directive explanation under Settings > Form Context > Add Attribute.

consent directive explanation - demo.png

Above: View of the consent directive explanation field under client profile > Client Info > Demographics, filled out with an example explanation.

2. Create a Form in Form Settings (Settings > Form Settings > + Add Form) that will use these two fields you created above and allows the client to sign for the consent directive. Ideally, you will have the client fill out the form in Family Portal.

client form .png

Above: The client's view of the form.

 

Indicate that a patient has an active consent directive

The workflow explained above captures the presence of a consent directive and adds instructions to the client's profile under the Demographics section. To indicate an active consent directive, add either or both of the following in the client profile:

  • Client Note (client profile > Client Notes > + Add Client Note)

client note.png

  • Client Risk (client profile > Risk Assessment > + Row

Workflow with example

Example scenario: The client has indicated they have a Consent Directive and do not want information shared with their physician.

1. Your agency administrator asks the client to fill out the Consent Directive Form in the Family Portal or at the first visit. The client's form submission populates the Form Context Fields in their profile under the Demographics section. 

2. Your administrator reviews and approves the Consent Directive Form. 

3. Your administrator creates a Client Note indicating additional details and adds the consent directive as a Risk on the client's profile. 

4. Your agency's coordinators get trained to check for consent directive Client Notes and Form Context Fields to ensure information is not shared without confirming the consent directive. 

  • The Client Note in the client profile specifies whether there is a consent directive.
  • The Demographics in the client profile specify instructions regarding the consent directive. 

 

Comply with patient's request to restrict their personal health information

Personal health information must be restricted in the following ways: 

  • Lock health records partially or completely from general visibility.
  • Lock all electronic documentation recorded in ACC.
  • Restrict one or more agency employees from accessing personal health information in ACC.

Visibility and restricted access 

To control access to a client's information, you can leverage Group Associations which allows your agency's administrators to assign a Group to a client profile and then limit access to the client record by assigning the same group to selected employees who require access to the client record. Any employee not part of this group cannot view the client record in ACC. If your agency does not have the Group Association feature enabled, please create a support ticket. 

1. To create the Group, go to Schedules > Schedule Settings > Groups > + Add Group. You can name it "Lockbox," or anything else that works for your agency. ⚠ Each lockbox client requires their own lockbox group. In other words, if you have two lockbox clients, you would need "Lockbox1" and "Lockbox2." ⚠

2. Once you have created the Group, go to client profile > Client Info > Demographics. Under Groups, add the appropriate group to the client's profile. ⚠ The lockbox client must ONLY have the lockbox group assigned. ⚠

3. Go to employee profile > Demographics > General Information to add the same group to the employee's profile. 

(Group Associations does not mask data under Accounting and Data Exploration within ACC. Reasonable disclosure of a client's medical record has been made acceptable by PHIPA to allow an agency to perform necessary administrative functions, such as resource planning, statistical analysis, collection of payments, and quality improvement. Additionally, client information in Accounting is limited to certain basic information and bill codes. It does not expose clinical notes or detailed care information.)

Electronic documentation

If a client wants to hide a part of their medical record, such as a diagnosis, your agency can exclude it from ACC. Instead, you can keep it in a sealed paper record with controlled access. Currently, lockbox options in ACC provide all-or-nothing access to client records.

Audit access to patient records

To see who accessed a client record, you can refer to the Audit Log (Settings > Audit Log), which provides details such as the user's role, event type, and client name. You can generate audit log reports based on start date, end date, employee, and client, up to 90 days in the past. 

Learn more

Was this article helpful?

2 out of 3 found this helpful

Comments

0 comments

Article is closed for comments.