What is Personal Health Information (PHI)?

PHI is any information that can identify a client and relates to their health, treatment, or payment. It is broader than just medical records — it includes anything that could reasonably link to a client.

PHI examples at our clinic:

  • Personal Identifiers: Name, date of birth, address, email, phone number, emergency contacts.
  • Clinical/Treatment Information: Health history, presenting concerns, diagnosis, treatment plans, progress notes, test results, risk assessments, correspondence with other providers.
  • Administrative/Financial Information: Billing records, insurance claims, invoices, payment histories.
  • Other Identifying Details: Group therapy attendance, unique circumstances or demographics, or any information that could indirectly identify a client.

Our Privacy Contact Person

Contact Person: Francesca Lupo

Title: Registered Psychotherapist/Clinic Director

Email: francesca@evergreentherapeutics.ca

Phone Number: 647-498-4283 ext.3

 

 

Who Are They and What Do They Do

The Privacy Contact Person is responsible for:

  • Overseeing the clinic’s privacy policies and procedures
  • Ensuring compliance with PHIPA
  • Providing privacy training and support to staff
  • Responding to client requests regarding:

o Access to records

o Corrections to records

o Privacy questions

o Privacy complaints

• Maintaining records of privacy breaches

• Reporting breaches when required

• Reviewing and updating privacy policies

• Their contact information

How we collect, use, and disclose PHI:

We collect, use, and sometimes share PHI only for legitimate purposes related to client care, administration, or legal requirements.

Primary purposes include:

Collection

We collect PHI through:

• Client intake forms

• Therapy sessions

• Communication with the clinic

• Insurance information submitted by the client

• Information shared by other healthcare providers with client’s consent

Use

PHI may be used for:

• Assessment and treatment

• Monitoring therapy progress

• Care planning

• Appointment scheduling

• Billing and payment processing

• Insurance claims

• Administrative purposes

• Legal or regulatory obligations

Disclosure

• We will verify client consent before sharing information.

• The purpose and any consent for disclosures is always documented.

By receiving services from Evergreen Therapeutics and using our site, you agree to our privacy policy.

This means you consent to the collection, use, and disclosure of your PHI as described in this

statement and in accordance with PHIPA.

How we safeguard client information:

Protecting PHI is essential for client trust and legal compliance. Our clinic uses three layers of

safeguards:

Administrative Safeguards:

• Access to PHI is role-based; staff see only what is necessary.

• Staff receive annual privacy training and refresher sessions.

• Policies are reviewed at least annually or when regulations change.

• Incident reporting and breach response processes are clearly defined.

Physical Safeguards:

• Therapy and intake sessions occur in private areas.

• No client records left unattended in shared or public spaces.

Technical

• Electronic PHI is password-protected, encrypted, and backed up.

• Only approved platforms (e.g., Jane App) are used.

Retention and Destruction of Records

PHIPA requires that client records be kept for at least 10 years after the last appointment, or 10 years

after the client turns 18, whichever is later.

Destruction Procedures:

• Paper records: cross-cut shredding

• Digital records: permanent deletion from active and backup systems

Access and Correction of Records

Client Rights: Access, Correction, and Complaints

Clients have legal rights under PHIPA:

1. Access: Clients can request copies of their PHI.

2. Correction: Clients may ask to amend inaccurate or incomplete information.

3. Complaints: Clients can raise concerns if they believe PHI was mishandled.

Requests should be directed to:

Privacy Contact Person:

Francecsa Lupo

francesca@evergreentherapeutics.ca

647-498-4283 ext.3

If there is a privacy breach

A privacy breach occurs when PHI is lost, stolen, accessed, or disclosed without proper authorization.

Examples include:

• Sending PHI to the wrong recipient by email or fax

• Losing a laptop, USB, or paper record containing PHI

• Discussing client information in a public area or on social media

• Unauthorized staff access to client charts

If a breach occurs:

• The clinic will investigate the incident

• Take steps to contain the breach

• Notify affected individuals when required

• Report the breach to the appropriate authority when required

Questions and Complaints:

Direct any questions to the Privacy Contact Person:

Contact Person: Francesca Lupo

Title: Registered Psychotherapist/Clinic Director

Email: francesca@evergreentherapeutics.ca

Phone Number: 647-498-4283 ext.3

Process for making a complaint:

Visit the College of Registered Psychotherapists of Ontario to complete a complaint form. The complaint

must be in writing, detailing the concerns about the registrant’s conduct or competence. The CRPO will

confirm receipt, notify the therapist, and initiate an investigation by the Inquiries, Complaints and Reports

Committee (ICRC).

Steps to File a Complaint with CRPO:

• Complete the Form: Download and fill out the official Complaint Form.

• Submit Documentation: Send the completed form along with any supporting evidence to the

CRPO by email, mail, or fax.

o Email: info@crpo.ca

o Fax: 416-639-2168

o Address: 375 University Avenue, Suite 800, Toronto, ON M5G 2J5

• Initial Review: The CRPO will confirm receipt and provide information on next steps.

• Investigation: The registrant is notified within 14 days and may respond. An investigator may be

appointed to collect documentation and interview witnesses.

• ICRC Review: The Inquiries, Complaints and Reports Committee (ICRC) reviews the evidence

and determines the appropriate action