Record Retention, Disclosure, and Disposal
Approved: September 2012; Revised September 2014
- Personal Health Information Protection Act, 2004
- Drug and Pharmacies Regulation Act, Ontario Regulation 264/16
- Regulated Health Professions Act, 1991
- Model Standards of Practice
- Code of Ethics
- Documentation Guideline
- Circle of Care: Sharing Personal Health Information for Health Care Purposes
College Contact: Pharmacy Practice
A patient record is the complete account of a patient’s care, comprising personal health information collected or generated by the pharmacy in any form or medium. The patient record includes the patient profile; patient and provider identifying information; data collected; assessment; notes documenting critical thinking and judgment, recommendations, interventions and discussions between members, other health care providers and patients; and prescriptions, records and reports that pertain to the patient’s care. All records and documents generated by members, and through the operation of the pharmacy, must be kept according to the standards of practice, code of ethics, and as required by legislation and regulation.
As a health information custodian, a pharmacy’s record keeping obligations are outlined in multiple acts and regulations. This guideline pertains specifically to the requirements established in the Personal Health Information Protection Act, 2004 (PHIPA), which governs personal health information in the custody and control of health information custodians and their agents. According to the Act, an agent means a person that acts for or on behalf of a health information custodian in respect of the collection, use, disclosure, retention, or disposal of personal health information. Health information custodians are responsible for the actions of their agents, and should therefore ensure that their agents comply with all of the obligations imposed on the custodian. In the case of a pharmacy, this obligation is shared with the designated manager as outlined in the Drug and Pharmacies Regulation Act, 1990.
- In return for care, patients provide health professionals with personal health information which must be protected from theft, loss and unauthorized use or disclosure;
- The records and information generated and managed by the pharmacy are both authentic and reliable;
- The record keeping system ensures that personal health information is protected against theft, loss, and unauthorized use or disclosure;
- Records are kept in a manner that ensures timely, efficient, and accurate retrieval;
- Records are retained for the time periods set out in law; and
- Pharmacies dispose of records securely.
As health information custodians, pharmacies are required to:
- collect, use and disclose personal health information according to the rules established by PHIPA;
- implement physical, administrative, and technical safeguards to protect personal health information;
- respond to requests to access or correct personal health information and;
- maintain transparent practices.
The pharmacy must protect the confidentiality of personal health information, including with respect to information generated in a remote dispensing location, if any. A pharmacy is required to make and maintain a scanned electronic copy of every original prescription where a drug is dispensed, and of the dispensing information recorded on the prescription1,2. Any records that are not stored in a computer system must be legible, made using non-erasable ink, readily retrievable and stored in an appropriate manner to provide reasonable protection from damage.
Consent to the Collection, Use and Disclosure of Personal Health Information
Pharmacies must obtain individual consent for the collection, use, and disclosure of personal health information. Consent must satisfy the following conditions: it must be the consent of the individual; it must be knowledgeable; it must relate to the personal health information; and it must not be obtained through deception or coercion. Consent may be express or implied, unless PHIPA stipulates that express consent be obtained; for example, if a custodian makes the disclosure to a person that is outside of the ‘Circle of Care’, express consent is generally required3,4 . When a patient presents a prescription to be filled, a pharmacy can rely on his or her implied consent to fill that prescription and for the purposes of providing healthcare to that patient. (See Appendix 1 for more information on consent and the circle of care).
An individual may withdraw their consent at any time by providing oral or written notice of withdrawal to the pharmacy. The withdrawal is not retroactive and would not impact information that has already been disclosed to other custodians.
Security of Personal Health Information
Pharmacies are accountable for taking reasonable steps to protect personal health information and to keep it secure. This obligation extends to employees, as well as to agents and service providers, including accountants, lawyers, and records management services who act on behalf of the pharmacy. (See Appendix 2 for additional detail on agents and their obligations). All records are to be maintained in a manner that protects patient confidentiality and privacy through the use of physical, administrative, and technical safeguards5 .
Physical Safeguards: physical restrictions, including controlling access to areas where records are stored and taking steps to protect records from fire, flooding, and other hazards.
Administrative Safeguards: the maintenance of security protocols such as the development of policies and procedures, training staff on their obligations, and executing written confidentiality agreements with staff and other agents. Pharmacies must inform agents of their responsibilities under PHIPA.
Technical Safeguards: including the implementation of password protection, firewalls, and back-up and recovery systems to protect information maintained in an electronic format, and maintaining a copy of a digital back-up off-site or in a fire-proof or theft-resistant safe.
At times it may be necessary to keep personal health information on a mobile device to support the delivery of care outside the work place. In these cases only the minimum necessary data should be transported and the pharmacy must ensure that the information is encrypted in order to safeguard it against theft, loss or unauthorized use or disclosure, and to ensure the records are protected against unauthorized copying, modification or disposal6 . Unless the pharmacy has access to a secure e-mail service offering strong encryption, the use of e-mail to communicate personal health information should be avoided7,8 .
The pharmacy is responsible for the safety and security of patient records even if the storage or disposal of those records is contracted out to a service provider.
Access and Correction of Personal Health Information
The pharmacy will support and enable individual access to personal health information, subject to the requirements of PHIPA. Subject to the limitations discussed below and set out in PHIPA, if an individual submits a written request for access to his or her personal health information, the pharmacy has 30 days to consider the request, conduct a reasonable search for records that are responsive to the request, and provide a written response to the requesting individual. In responding, the pharmacy must either:
- Make the record (or a copy of the record) available to the individual, and, if reasonably practical, an explanation of any term, code or abbreviation used in the record; or
- Indicate that no record exists, provided that, if a responsive record is later found, the pharmacy must inform the patient that a record was located); or
- Indicate that access is denied either in whole or in part, provided that the denial is pursuant to a specific section of PHIPA, and the response explains the reason for the denial of access along with information about making a complaint to the Information and Privacy Commissioner9 .
An individual may also request a correction to his or her personal health information if he or she believes that a record is inaccurate or incomplete. The individual must demonstrate that the record is incomplete or inaccurate and he or she must provide the information necessary to correct the record. (More detail on access and correction of personal health information is included at Appendix 3.)
Transferring Health Records in the Event of a Sale
Pharmacies remain responsible for records of personal health information until complete custody and control of these records is transferred to another legally authorized person. This means that when a store is sold, the pharmacy remains responsible for the secure retention, transfer and disposal of records until custody and control of those records is transferred to the purchaser10 . Pharmacies are encouraged to review their obligations in the event of a change in practice that impacts personal health information11,12 .
Patients must continue to be able to access their personal health information in the event of a transfer of records. Pharmacies are required to take reasonable efforts to give notice to the individuals to whom the records relate before transferring the records or, if that is not reasonably possible, as soon as possible thereafter. If it is not reasonable to contact each individual, multiple means of providing notice should be adopted including placing a notice on the pharmacy’s website, leaving a message at the pharmacy’s telephone number, and/or posting a notice where members of the public can readily view it.
Secure Storage/Transfer of Health Records in the Event of Permanent Store Closure
In the event of a permanent store closure, the pharmacy retains all obligations with respect to health information until responsibility is transferred to another legally authorized person. Patients must continue to have access to their records and the pharmacy must make appropriate arrangements for the secure retention or transfer of patient records13 . The member must notify the Ontario College Pharmacists of the disposition of the records.
Record Retention: Time Frames
The pharmacy will ensure that appropriate record retention schedules are in place:
- The entire patient record must be retained as a whole.
- Scanned electronic copies must be created through scanning an original document with software that does not permit the data in the resulting electronic document to be edited or extracted.
- All records and documents relating to the care of a patient, including the original prescriptions, shall be maintained for a period of at least 10 years from the last recorded professional pharmacy service provided to the patient, or until 10 years after the day on which the patient reached, or would have reached, the age of 18 years, whichever is longer.
- While an audit or inspection is being performed by or on behalf of the College, involving either a member or pharmacy, no record or document shall be destroyed until the audit or inspection is completed unless approved by the Registrar.
The pharmacy must retain records for longer than the general retention period if a request for access to personal health information has been received until such time as the record may no longer be required to respond to that request for access. (Legislative excerpts of the Drug and Pharmacies Regulation Act and Regulation that address record retention time frames are included at Appendix 4.)
Disposal of Records
The pharmacy should ensure that records marked for disposal are physically segregated from other records in a secure area, and clearly marked for disposal. In the event that a third party is engaged to dispose of records, the pharmacy must transfer the records securely and document the transfer. A third party retained by the pharmacy to dispose of records is an agent of the pharmacy and the pharmacy must ensure that the agent complies with PHIPA. It is recommended that the pharmacy enters into a written contract with the third party that specifies roles and responsibilities to ensure that all parties fully understand their respective roles and responsibilities14,15 .
While an audit or inspection is being performed by or on behalf of the College in respect of the pharmacy or in respect of a member who is practising at the pharmacy, no record or document shall be destroyed until the audit or inspection is completed, except with the written approval of the Registrar.
Appendix 1: Consent and the Circle of Care
The information in this appendix is based upon a publication of the Information and Privacy Commissioner “Circle of Care: Sharing Personal Health Information for Health-Care Purposes”.
Express consent from the individual or their substitute decision-maker, if any, is required to disclose personal health information to a person who is not a health information custodian, or when the disclosure to another health information custodian is not for the purposes of providing health care or assisting in providing health care. In circumstances where express consent is required, all the elements of consent must be fulfilled: it must be a consent of the individual, or their substitute decision maker, if any; it must be knowledgeable; it must relate to the personal health information; and it must not be obtained through deception or coercion.
Implied consent is a form of consent which is not expressly granted by a person, but rather inferred from a person’s actions and the facts and circumstances of a particular situation (or in some cases, by a person’s silence or inaction).
The term ‘circle of care’ is not defined in law; however, it is a term used to describe the ability of health information custodians, including pharmacies, to assume an individual’s implied consent to collect, use and disclose personal health information for the purpose of providing health care in circumstances defined by the PHIPA.
All of the following conditions must be met in order to assume implied consent within the circle of care:
- The health information custodian must fall within a category of health information custodians that are entitled to rely on assumed implied consent;
- The personal health information to be collected, used or disclosed by the pharmacy must have been received from the individual, his or her substitute decision-maker or another health information custodian;
- The pharmacy must have received the personal health information that is being collected, used or disclosed for the purpose of providing or assisting in the provision of health care to the individual;
- The purpose of the collection use or disclosure of personal health information by the pharmacy must be for the provision of health care or assisting in the provision of health care to the individual;
- In the context of the disclosure, the disclosure of personal health information by the pharmacy must be to another health information custodian; and
- The health information custodian that receives the personal health information must not be aware that the individual has expressly withheld or withdrawn his or her consent to the collection, use or disclosure16 .
Appendix 2: Agents and their Obligations
An agent of a health information custodian is anyone who is authorized to do anything on behalf of the custodian with respect to personal health information. A person can be an agent of a health information custodian whether or not they are being paid, whether or not they are employed by the health information custodian or whether or not they have the power to enter into agreements on behalf of the health information custodian. Agents of a health information custodian include, for example, employees, persons contracted to provide services where the person has access to personal health information such as copying or shredding services or records management services and volunteers or students who have any access to personal health information17 .
An agent may collect, use, disclose, retain, or dispose of personal health information as permitted by the health information custodian or as permitted in the regulations under PHIPA.
A health information custodian may permit its agents to collect, use, disclose, retain, or dispose of personal health information on the custodian’s behalf only if:
- The custodian is authorized by PHIPA to handle the personal health information; and
- The collection, use, disclosure, retention or disposition of the personal health information is in the course of the agent’s duties.
If another law permits or requires the agent to collect, use, disclose, retain or dispose of personal health information, the agent does not need the authorization of the custodian. An example is where the agent is an employee who is a health practitioner and who is required to make a report under the provisions of another Act, such as the Child and Family Services Act18 .
Appendix 3: Access, Correction, and Restrictions on the Disclosure of Personal Health Information
Generally speaking, all information in a record must be released to a patient upon request. A request for access to health information can be made informally or formally. A health information custodian can communicate with a requester and provide access to requested personal health information even when the individual does not make a formal access request, and can also communicate with the individual’s authorized substitute decision-maker about a record if the individual has a right of access to the record.
A formal request is one that is made in writing. The request must contain sufficient detail to enable the custodian to identify and locate the record with reasonable efforts. If the request is not sufficiently detailed, the health information custodian must offer assistance to the requester in reformulating the request. A formal access request triggers the time frames in the act and the rights of complaint and appeal19 .
If the health information custodian refuses to correct the record, the reasons for the refusal must be provided to the requester. The custodian must inform the requester of their right to prepare a statement of disagreement setting out the correction the health information custodian refused to make, and that the requester can require the custodian to attach the statement to the records and disclose it along with the personal health information related to the disagreement.
The individual has the authority to restrict disclosures of their personal health information including:
- A particular item of information (i.e. a diagnosis);
- The entire record;
- A particular health information custodian, agent of a health information custodian, or class of custodians or agents; or
- A direction that a particular health information custodian, agent or class of custodians or agents cannot use their personal health information20 .
Where an individual wishes to restrict the disclosure of information, or give conditional consent, their instructions should be set out in writing.
Appendix 4: Legislative Excerpts - Record Retention
Standards For Accreditation
20. (1)In every pharmacy, the following documents shall be maintained:
- Documents required to be made and maintained under the Act and the regulations.
- Documents required to be made and maintained by members under the Pharmacy Act, 1991 and its regulations and any federal or provincial legislation governing the purchase or sale of drugs.
- Documents required to be made and maintained by members practising in the pharmacy in order to meet the standards of practice of the profession.
- Documents relating to the acquisition and movement of drugs.
(2) The documents referred to in subsection (1) shall be maintained in the pharmacy in a manner that is secure, auditable, traceable and allows for their easy retrieval.
(3) In respect of a remote dispensing location, the documents referred to in subsection (1) shall be maintained in the pharmacy whose certificate of accreditation permits its operation.
Length of retention
21. Subject to the Act, documents relating to the care of a patient shall be maintained for a period of at least 10 years from the last recorded pharmacy service provided to the patient, or until 10 years after the day on which the patient reached or would have reached the age of 18 years, whichever is longer.
- Drug and Pharmacies Regulation Act, General, O Reg 264/16 s20-21
- Drug and Pharmacies Regulation Act RSO 1990, c H.4, s156(1)
- Implied consent is a form of consent which is not expressly granted by a person, but rather inferred from a person’s actions and the facts and circumstances of a particular situation (or in some cases, by a person’s silence or inaction).
- ‘Circle of Care’ is a term commonly used to describe the ability of certain health information custodians to assume an individual’s implied consent to collect, use or disclose personal health information for the purpose of providing health care, in circumstances defined in PHIPA. More information on the term and guidance on access to patient information, is outlined in the document created by Ontario’s Information and Privacy Commissioner: Circle of Care: Sharing Personal Health Information for Health Care Purposes
- Information and Privacy Commissioner. Fact Sheet 1: Safeguarding Personal Health Information.
- Information and Privacy Commissioner. Fact Sheet 12: Encrypting Personal Health Information on Mobile Devices.
- Cavoukian, A.& Rossos, P., Personal Health Information: A Practical Tool for Physicians Transitioning from Paper-Based Records to Electronic Health Records.
- Information and Privacy Commissioner. Fact Sheet: Health-Care Requirement for Strong Encryption.
- Personal Health Information Protection Act, S.O. 2004. Chapter 3. Section 54(1)(b).
- Information and Privacy Commissioner. Personal Health Information Protection Act REPORT, FILE NO. HR 10 -18; p.6.
- Information and Privacy Commissioner/Ontario. How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice.
- Information and Privacy Commissioner. Checklist for Health Information Custodians in the Event of a Planned or Unforeseen Change in Practice.
- Information and Privacy Commissioner/Ontario. How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice.
- For sample contractual clauses, please refer to the documentGet rid of it Securely to keep it Private: Best Practices for the Secure Destruction of Personal Health Information
- Information and Privacy Commissioner. "Secure Destruction of Personal Information"
- Information and Privacy Commissioner. Circle of Care: Sharing Personal Health Information for Health-Care Purposes.
- Ministry of Health and Long-Term Care. Personal Health Information Protection Act, 2004: An Overview for Health Information Custodians, p.9. August 2004.
- Ibid. p. 11.
- Ministry of Health and Long-Term Care. "Personal Health Information Protection Act, 2004: An Overview for Health Information Custodians", p.27. August 2004.
- Information and Privacy Commissioner. Lock-box Fact Sheet. 2005