Orienting myself with Telehealth – Legislation, Policies, & Ethical Considerations

Some may wonder what considerations need to take place to perform telehealth practice in Alberta.  Because telehealth is largely unregulated, I am trying to build a more comprehensive understanding of what would be expected of social workers to adhere to legislation, standards of professional practice, and conduct evidence-based practice. For myself, digging into legislation is my preferred route.  Thus far, the relevant pieces of legislation under consideration include:

  • PIPEDA (Personal Information Protection and Electronic Documents Act)
    • This law is relevant to the private sector, as suggested by the Canadian Counselling and Psychotherapy Association (2019).  It governs how private sectors:
      • Collect, use, and disclose personal information in commercial activities.
      • When information is stored online (data residency), the business needs to know where the information is being stored, who has access to the information, and who can access information.  There are benefits to keeping the data in Canada.  Different provinces may have different rules on data residency in/outside of Canada.
      • Maintain responsibility for reliable security safeguards that are appropriate to the level of the information’s sensitivity.  The greater the sensitivity, the greater the security.
      • The Office of the Privacy Commissioner of Canada offers information on the regional laws in each province and who one would contact about privacy issues.
      • Once an organization collects sensitive data, they are 100% responsible for the protection and security of the data.  Organizations should have strong policies around their own security and decision-making as to which services that store data on the cloud meet the security requirements.
  •  HIA (Health Information Act – Alberta)
    • Section 23 of the HIA makes mention of the “use of recording device or camera,” indicating that a custodian that collects any information from an individual with a recording device/camera must get written consent from the individual before using the recording device/camera (Province of Alberta, 2018, p. 22).  No mention of affiliates who make the use of a recording device or camera is made.
    • Depending on the role of the social worker, they may either be in the position of a “custodian” or an “affiliate.”  Operating in the capacity as an affiliate, the social worker must not collect health information that is not a part of their responsibilities to the custodian (Province of Alberta, 2018; Government of Alberta Health and Wellness, 2011).
    • Social workers are not specifically mentioned as health professionals that are custodians, but notes that not all individuals who can be custodians or affiliates are listed in the legislation (Government of Alberta Health and Wellness, 2011).
    •  To me, distinguishing between a custodian and affiliate can be thought of as who is the management branch of the facility, as outlined in section 1(f) for custodians.  The service provider that works for the custodian can be considered an affiliate.  Individuals working for an agency or facility who are not on the board and provide client’s services are thus likely to be custodians (Province of Alberta, 2018).
    • This act also incorporates the duty to warn in several places that are worth considering if a videoconference would be considered health data:
      • Section 11 outlines the refusal of providing documents that may lead to harm of self or others.
      • Section 35(m) outlines disclosure to other persons if it will reasonably avert or minimize risk of harm  to the health or safety of a minor or reduce imminent danger to the health or safety of any person.
      • Section 47(2)(1)(a) outlines refusing to disclose information if there is an increased risk of harm that could take place
      • Section 60.1 outlines the duty to notify if there is a loss of health information that could lead to harm.
      • The Commissioner can disclose information where there is reasonable belief of a necessity to protect the privacy, health, and safety of an individual (Section 92(3.2)(a)) or act in the public’s interest (Section 92(3.2)(b)).
    • It is the responsibility of the custodian to identify responsible affiliates that ensure the act and regulations are complied with, as per section 62(1).  As outlined in section 63(1) the custodian develops the policies and procedures that would facilitate and adhere to the act and its regulations.  My understanding from this is that the onus is on the custodian to create and educate the affiliate on how to comply with the best information practices that fit with the act.
    • It is the custodian that would need to prepare a privacy impact assessment to see how the administrative practices information systems relating to the collection, use, and disclosure of information may impact individual privacy.  The custodian would submit the privacy impact assessment to the commissioner to be reviewed before the plan is implemented.  The feedback from the Commissioner would then need to be integrated and resubmitted for approval before moving forward.  The privacy assessment would need to:
      • Describe how the information would be used and how the data matching is to be collected (Section 70(1)(3)(a)).
      • Set out how information is created through data matching would be used or disclosed (Section 70(1)(3)(b)).
    • There are some anti-oppressive components to the legislation that outlines the responsibility for custodians to assist clients in accessing their information.  Section 10(a), as indicated by the Government of Alberta Health and Wellness (2011) has the following responsibilities:
      • A responsibility to tell the client what they will need to know in order for them to get as much information as they are seeking under the Health Information Act.
      • To advise the client that other custodians or other organization(s) may have health information about them and that a separate request may need to be made to the other organization(s).
    • There is a timeline in which the client can expect to have their health information.  As outlined by Section 12(1), a reasonable effort is to respond to the request within 30 days.  This can be extended with an extension under Section 15.  The timeline is based on calendar days, as opposed to business days.  The client may be responsible for associated copy fees.  A written request is suggested to provide accountability on the 30-day timeline (Government of Alberta Health and Wellness, 2011).  Other components of extensions include:
      • A custodian’s failure to respond to the request within 30 days or the extension period is treated as a decision to refuse access, which leaves a possibility for a request of complaint and review.  The circumstances for a time extension are outlined in Section 15(1).
      • The maximum time that can be allotted for an extension is 30 days, allowing for a total of 60 days to process a client’s request from the date it was made.  If the custodian believes that it would take more than 60 days to fulfill the request then the custodian must write the Information Privacy Commissioner within the first 30 days to request a longer extension, and provide details as to the need for the extension.  The commissioner can deny this extension leaving the maximum at 60 days.
      • The custodian’s responsibility to inform the client of an extension on preparing the applicant’s health information to fulfill the request.
      • If the day of response falls on a statutory holiday, the response is due on the next business day.
    • The custodian should collect all relevant fees before releasing the documents to the client.
    • FOIP and HIA information are separate; thus only information pertaining to the regulations of FOIP should be released under a FOIP request, and the information pertaining to the HIA be released under an HIA request.
    • The response to an applicant has  several components:
      • Whether access to a record or part of the record is granted or refused
      • If access to the record or part of it is granted, when/where/how access will be given
      • If access is refused:
        • The reason for the refusal
        • The contact details of an affiliate who can answer questions on the reason for refusal
        • The ability to ask for a review of the decision by the Commissioner under Section 73(1)
    • Repetitious requests can be denied if they:
      • Unreasonably interfere with the operation of the custodian
      • Seek the same or similar information repeatedly
      • Ask for corrections of opinions of the self when a decision on amendments have been made
      • Make the same request before the previous request has been processed
    • There are several considerations for the fees a client may incur for a request:
      • GST is not charged to the client by a public health provider.  Private practices and other small custodians are required to charge a GST.
      • There may be a basic $25.00 fee for access to a copy of the record to cover:
        • Receiving and clarifying the request
        • Locating and retrieving the records
        • Preparing the records for copying
        • Preparing a response letter
        • Packaging the copies for the client
        • Photocopying the record
      • If the basic fee applies, the custodian may not start processing the request until the fee is paid.  There is a fee schedule that outlines the maximum an individual can be charged (calculated at $0.25 per page)
      • The client must get an estimate of the fee charge before the service is provided
    • The client will receive a notice that includes a request to pay 50% of the estimate in advance, and that the client has 20 to inform the custodian of acceptance to proceed.
    • A fee waiver may be granted by the Commissioner if requested as per Section 67(5).
  • Personal Information Protection Act (Alberta)
  • Alberta Electronic Health Record Regulation
  • FOIP
  • Alberta Health Services Policies
    • AHS released a Novel Coronavirus FAQ page that outlined policies on platforms and methods of providing a continuity of services during a health pandemic (Alberta Health Services, 2020).  Sections 192 and 193 of this document, there is an external website that provides information on tools to support virtual healthcare.
    • As of May 25, 2020, approved teleconferencing tools include “Skype, Telehealth, and Zoom” (Alberta Health Services, 2020a).
    • It sounds like Alberta Health Services (AHS) is not utilizing Zoom Healthcare accounts – as this AHS document discusses how to carry out clinical group sessions with a zoom basic account in compliance with AHS policies (Alberta Health Services, 2020b).
    • The informed patient consent script of AHS (2020c) is also useful as a guideline on what types of consent can be gathered and deemed acceptable.  While it is specific to the wide range of services provided by AHS, it outlines some considerations we should have when working with individuals/groups and prompts for individuals before moving forward.
    • AHS Policy PS-06 provides an outline from an AHS perspective as to how to confirm the identity of individuals (AHS, 2020d).  This policy can guide the policies of other agencies.  The original version of the Patient Identification policy can be seen here.
    • Telehealth considerations for virtual care – including considerations based on professional affiliation and inter-regional service provision are outlined by AHS here (AHS, n.d.).
  • ACSW Standards of Practice (Alberta College of Social Workers, 2019)
    • Under the circumstances of digital practice there are several standards that are relevant to social work practice:
      • B.3(b) Another consideration is the conflicts of interest that may arise when there is a disjuncture between continuity of service delivery, agency contracts, and evidence-based practice.  There may be competing demands that emerge from an agency’s fulfilment of contracts to funders, while still carrying safeguarding the rights of the client.  Subsections i and ii would require the ceasing of service provision (i) or documenting the conflict of interest and measures taken to try and resolve the conflict(ii).
      • B.6(c) Under this section it is outlined that the social worker will identify deficiencies in information/information gathering activities and how the method of the collection method could compromise the validity of the interpretations that could be concluded from the assessments.  In terms of assessment instruments, I would interpret this to be that there would need to be an evidence-based assessment of any assessment tools for being conducted via digital communications if their intended use was face-to-face.  The social worker would need to consider psychological variances that emerge from the medium, such as the online disinhibition effect (Wu, Lin, & Shih, 2016).
      • D.2(e) Under this section, the social worker works in accordance with the workplace policies regarding the use of information technology, provided confidentiality of the records is maintained.  Considerations in practice would include relevant provincial and federal legislation, along with case law on practices for electronic storage of case files (see PIPEDA & HIA).
      • D.4(a) The social worker will store records in a way that maintains the confidentiality of the information contained in the records. – This may suggest that digital copies of case notes/records should be encrypted to limit access.
      • D.4(b) A social worker will adopt retention policies and procedures that will physically safeguard case records against any anticipated threats or hazards to their security or integrity. – This would also provide a reason to encrypt digital copies of files.  If files are backed up onto external hard drives, protection of the backup drives could include something like a safe that would protect the drive from environmental damage or unauthorized access.
      • D.4(d) A social worker will maintain professional records for 10 years following the last entry for a professional service.  Where an organization maintains both a paper and an electronic file, only one (1) complete file must be maintained following the closure of the file. – Digital files in this context must be ensured that they are deleted.  If the file is remotely stored on a 3rd party practice management system, this may be ambiguous when it comes to considering backups of data that may exist on those servers.  It may be necessary to explore that further with the practice management service provider.  In a private practice context, locally stored files would need to be permanently erased off of a drive.  Traditional platter hard disk drives do not “delete data” – they remove the pointer to the data.  Thus data is not deleted until something is written over it.  Policies should include consideration for what type of drive the computers use, and either write over the old data (some programs such as Active@Disk write over the data to permanently delete it).  Doing more than one pass of data overwrite, although not necessary, would a good policy to implement.  If newer SSD drives are used, full-disk encryption plus the enablement of TRIM should be utilized.  Traditional platter drives would benefit from full-disk encryption, but considerations on the computer performance and slowdown from encryption should also be considered.
      • D.4(g) outlines the requirement of social workers to maintain client files in a secure location for 10 years after the last entry of professional service.  For digital records, this would either suggest a need to maintain a 3rd-party platform that houses the records or store the records for an additional 10 years or locally store the records on a secured digital device for 10 years (using secure storage options

Reading through these, I will add more information as I go (to be continued…)

References

Alberta College of Social Workers. (2019). Standards of practice [pdf file].  Retrieved from https://acsw.in1touch.org/document/2672/DOC_FINALACSWStandardsOfPractice_V1_1_20200304.pdf

Alberta Health Services (n.d.) Virtual health recommendation: AHS healthcare professional considerations in virtual care.  Retrieved May 26, 2020, from https://www.albertahealthservices.ca/assets/info/ppih/if-ppih-covid-19-vh-hcp-consideration-vc.pdf

Alberta Health Services. (2020a). Novel Coronavirus (COVID-19): Frequently asked questions.  Retrieved May 26, 2020, from https://www.albertahealthservices.ca/assets/info/ppih/if-ppih-ncov-2019-staff-faq.pdf

Alberta Health Services. (2020b). Virtual health: Zoom clinical group sessions.  Retrieved May 26, 2020, from https://www.albertahealthservices.ca/assets/info/ppih/if-ppih-covid-19-vh-zoom-clinical-group-session-resource.pdf

Alberta Health Services. (2020c). Virtual health recommendation: Informed consent and script for virtual care.  Retrieved May 26, 2020,  from https://www.albertahealthservices.ca/assets/info/ppih/if-ppih-covid-19-vh-inform-consent-script-rec.pdf

Alberta Health Services (2020d). Policy: Patient Identification.  Retrieved May 26, 2020, from https://extranet.ahsnet.ca/teams/policydocuments/1/clp-patient-identity-verification-ps-06-policy.pdf

Canadian Counselling and Psychotherapy Association. (2019). Guidelines for uses of technology in counselling and psychotherapy: Technology and innovative solutions chapter project.  Retrieved May 8th, 2020 from https://www.ccpa-accp.ca/wp-content/uploads/2019/04/TISCGuidelines_Mar2019_EN.pdf

Wu, S., Lin, T. C., & Shih, J. F. (2017). Examining the antecedents of online disinhibition. Information Technology & People.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.