Standard of Practice: Privacy and Confidentiality
Bolded terms below are found in the Glossary.
The client’s personal health information, privacy and confidentiality are securely protected.
Registered Massage Therapist Outcome
The Registered Massage Therapist (RMT/MT) always maintains the privacy and confidentiality of clients and the client’s personal health information.
The RMT must:
- Comply with the Personal Health Information Protection Act, 2004 (PHIPA).
- Understand that the rules governing consent to decisions involving personal health information are found in PHIPA and are different from those governing consent to treatment found in the Health Care Consent Act, 1996 (HCCA) (please see Standard of Practice: Consent).
- Understand that under PHIPA, in order for consent to be valid to collect, access, use or disclose personal information, RMTs must ensure that:
- it is reasonable to believe that the client knows the purpose of the collection, use or disclosure, and that they may give or withhold consent;
- the consent relates to the personal health information; and
- the consent is not obtained through deception or coercion.
- Understand that under PHIPA, the RMT must obtain consent to collect, access, use or disclose personal health information, and the RMT must:
- obtain the client’s consent before disclosing personal health information to a person outside the client’s circle of care; and
- understand that the RMT can rely on the client’s implied consent to disclose the personal health information within the client’s circle of care for healthcare purposes, unless the RMT has reason to believe that the client has expressly withheld or withdrawn consent to do so.
- Obtain consent from the client’s substitute decision-maker for the collection, use or disclosure of personal health information if the client is incapable.
- Only collect, use or disclose personal health information that is necessary to meet the client’s health needs or to eliminate or reduce a significant risk of bodily harm.
- Only provide access to personal health information to authorized persons, except as required or allowed by law.
- Allow clients to access their own personal health information.
- Only discuss the client’s personal health information in a way that ensures the client’s privacy (for example, avoid treatment-related conversations in non-private places).
- Use any electronic communication, social media, client booking and management software and other forms of digital technology ethically and professionally, in a way that protects client privacy and confidentiality.
- Store, share, transfer and dispose of client data on personal devices in a way that maintains the privacy and confidentiality of clients.
- Comply with requirements for mandatory reporting of privacy breaches.
- Disable all audio, video or photographic transmitting and recording functions of all devices in the room, unless:
- the RMT obtains informed consent for the use of audio, video or photographic recording equipment; and
- the recording functions are for assessment, treatment and/or educational purposes.
Relevant Legislation and Regulation
- Personal Health Information Protection Act, 2004 (PHIPA)
- Professional misconduct in Section 26 of Ontario Regulation 544/94 under the Massage Therapy Act, 1991
Related Career-Span Competencies (CSCs)
In certain situations, consent to collect personal health information can be implied, such as when a client voluntarily completes and returns a health history form to the RMT.
Resources and Guidance
- Standard Spotlight: Privacy and Confidentiality
- What You Need to Know About Privacy Law: An Overview of the Personal Health Information Protection Act, 2004 (2020)
- Personal Health Information Protection Act, 2004 (PHIPA): Guide for Regulated Health Professionals
- Webinar: A Privacy Update for Regulated Health Professionals
- Code of Ethics
- Circle of Care Sharing Personal Health Information for Health-Care Purposes
- The Personal Information Protection and Electronic Documents Act (PIPEDA)
- Mandatory Reporting
- Reporting a Privacy Breach
- Responding to a Health Privacy Breach: Guidelines for the Health Sector
- About the Standards of Practice