Facebook-f Instagram Linkedin-in
New Clients Book Now

Privacy Policy

Purpose

Cornerstone Family Counselling Services (CFCS), as a Health Information Custodian (HIC), is committed to protecting the privacy and security of Personal Health Information (PHI) in our care. This policy outlines our practices to ensure that client information is handled safely and in accordance with Ontario’s Personal Health Information Protection Act (PHIPA). .

Policy

We recognize the importance of privacy and the sensitivity of personal health information. This policy follows PHIPA guidelines to help safeguard client information and ensure that clients understand how we handle their data. Our staff members comply fully with PHIPA, as well as the professional requirements from their respective colleges. 

Individual colleges, which cover a number of CFCS staff, direct their members to fully comply with PHIPA and all other relevant legislation. This means strict compliance with all rules under PHIPA when collecting, using, or disclosing PHI.

What is Personal Health Information (PHI)?

PHI includes any identifying information about an individual, such as: 

  • Information related to physical or mental health, including family health history 
  • Details about health care provided to the individual 
  • Identification of a substitute decision-maker 
  • Health card number 

 

We collect PHI to provide counselling and therapy services. Information collected may include a client’s name, date of birth, address, health history, family background, and records of services provided. 

Filling out a personal healthcare form
Two hands holding a lock

Our Privacy Responsibilities

To protect PHI, all HICs and their staff are required to: 

  • Designate a Privacy Officer 
  • Implement clear privacy policies 
  • Share only necessary health information with authorized parties, ensuring that only those involved in care have access 
  • Notify clients if their information is shared outside the circle of care, intentionally or unintentionally 
  • Train all staff, students, and volunteers on PHIPA obligations 

 

Our Privacy and Security Policy is designed to support Cornerstone Family Counselling Services staff in understanding their legal and professional obligations to maintain the confidentiality of individuals seeking service through our agency. It provides an overview of the confidentiality requirements set out under the Personal Health Information Protection Act, 2004 (PHIPA) and outlines other professional obligations related to client confidentiality within our scope of practice. 

Given the complexities of the legal requirements, staff are reminded that whenever there is uncertainty, they should contact the Agency’s Privacy Officer. The Privacy Officer can, if needed, consult legal counsel or the Privacy Commissioner of Ontario for further direction. 

Guiding Ethical Practices

01.

Cornerstone staff must act in accordance with their professional and legal obligations.

02.

To establish and preserve trust in the therapeutic relationship, clients must be confident that their personal health information will remain confidential.

03.

Maintaining confidentiality is fundamental to providing the highest standard of care. Individuals who have confidence that their information will remain confidential are more likely to share complete and accurate health information, which leads to better treatment.

Collecting and Disclosing Information

Staff can only collect information that has a direct influence on the mental health treatment of the client, as per CRPO requirements. 

Staff may only disclose PHI: 

  • When they have the patient’s or substitute decision-maker’s consent, and it is necessary for a lawful purpose 
  • Where it is permitted under legislation, without the patient’s or substitute decision-maker’s consent 
  • Where it is required by law 
A man with a tablet computer pulling out a file

Consent

We require client consent before disclosing PHI. Where technology-assisted tools such as AI-assisted documentation software are used in the delivery of services, additional informed consent is required. See “Technology Use in Service Delivery” below.

 Implied Consent: Assumed for sharing information within the client’s “circle of care.”

 Express Consent: Required for disclosures outside the circle of care, except as allowed by law.

Lock Boxes

The term “lock box” applies to situations where the client has expressly restricted their counsellor or therapist from disclosing specific personal health information to others, even to others involved in the client’s circle of care. Staff will honour these restrictions except in cases where doing so may compromise client safety or legal obligations. 

If a lock box creates a situation where the staff member believes a client’s safety is at risk, they may refuse to provide treatment when it is not an emergency situation. The staff member should explain the reasons for their decision not to treat.

An older man looking at papers and smiling, surrounded by smiling students

Standards and Practices

Staff will not share information about their clients with others inside or outside of the agency except for purposes of supervision, safety, and where directed by the client or permitted under the law. 

All reasonable steps are taken to protect client information. In group supervision or case conceptualization discussions, a first name, initials, or pseudonym along with age will be used. While these steps reduce the risk of inappropriate disclosure, full anonymization is not always achievable given the nature of clinical work. 

When service ends, staff will complete and authenticate all proper documentation and retain the record for at least 10 years from the date of the last interaction with the client, or for 10 years from the client’s 18th birthday, whichever is later. 

Client Consent and Interaction Policy 

Cornerstone is built to provide compassionate, high-quality care with genuine regard for the well-being of clients, both during active engagement and after a file is closed. To ensure compliance with privacy and confidentiality standards: 

  • Referrals and Information Sharing: Any exchange of information about a client with another program or service must only occur with the explicit consent of the client. This includes seeking general, non-health information updates on a referred individual. 
  • Interactions with Former Clients: If a staff member encounters a former client within the agency, any interaction should be respectful and guided by the client’s comfort level. Staff should not initiate discussions related to past care unless the client explicitly invites it. 

Monitoring

Cornerstone conducts regular audits of our Client Information System to ensure compliance. The designated Privacy Officer performs bi-annual attestations to confirm alignment with privacy practices.

Access to Client Records

Staff are prohibited from accessing client records unless they are directly involved in the client’s care. In emergency situations where a client requires immediate support and their primary therapist is unavailable, another therapist may access the client’s file if it is necessary to provide appropriate care, and with the explicit consent of the client. Unauthorized access or misuse of client data will result in disciplinary action, including possible termination, regulatory reporting, or legal action.

Data Breach Response

In the event of a data breach, Cornerstone Family Counselling Services will take the following steps: 

  • Identify and Contain the Breach: Immediately identify the nature and extent of the breach and take steps to contain it. 
  • Notify Affected Individuals: Notify affected individuals promptly, including the types of information involved and steps being taken to mitigate the harm. 
  • Report to Authorities: Report the breach to the appropriate regulatory authorities, such as the Information and Privacy Commissioner of Ontario. 
  • Investigate: Conduct a thorough investigation to determine the cause of the breach and implement measures to prevent future occurrences. 
  • Review and Update: Review and update privacy and security policies and procedures based on lessons learned. 
Data breach with a broken lock in wooden tiles

Contact Us

If you have questions or concerns about our privacy practices, please contact:

Evelyn DeMoss

Privacy Officer
Email: [email protected]

Have Questions?

We’re happy to answer any questions you may have about our services. Fill out our contact form, and we’ll get back to you promptly.

Connect with Us

Do you have questions about our privacy policy? Please fill out the form below, and we’ll get back to you promptly.