Clinical Documentation and Record Keeping

This guideline specifically addresses the responsibilities of the registered speech-language pathologist (SLP) or audiologist in relation to Clinical Documentation and Record Keeping. To clarify excerpts of information that come from the Standard of Practice on Documentation and Information Management, this document utilizes the following icon:

Please pay careful attention to these references and to the standards within the icon boxes; taken together they represent the minimum expected level of performance for regulated members.

ACSLPA would like to thank the dedicated volunteers who shared their expertise by participating on ACSLPA’s Practice Advisory Committee for their thoughtful review and revision of this guideline.

To contact the SLP Advisor or Audiology Advisor should questions or concerns arise regarding this document, please use our Contact Us form.

The term “record” is defined as: “information in any form or medium, including notes, images, audiovisual recordings, X-rays, books, documents, maps, drawings, photographs, letters, vouchers and papers and any other information that is written, photographed, recorded or stored in any manner” (1, 2, 3).

Legible, complete, and accurate records are an essential component in the delivery of speech-language pathology and audiology services. Records and record keeping are important in the delivery of competent and effective clinical care, including the protection of privacy.

While there is no specific legislation in Alberta that addresses documentation or record keeping in a clinical context, regulated members must meet minimum standards established by the professions through the ACSLPA Code of Ethics and Standards of Practice. There is also relevant privacy legislation that will have bearing on clinical documentation and record keeping, to which regulated members must adhere.

In situations where employer or agency policies do not meet or exceed the minimum standards of the profession, jeopardize client safety, or undermine the public interest (i.e., resulting in unethical or unsafe practice), members are expected to use their professional judgment to seek solutions that keep client safety, the public interest, and sound professional practice at the forefront of their decision-making. A solution-oriented approach includes communicating concerns to the employer or contracting agency and sharing professional obligations as outlined in College documents.

There are five key pieces of privacy legislation that set rules for how information is to be collected, protected, used, disclosed, and amended:

• The Health Information Act (HIA) (1) addresses protection of individually identifying health information. It applies to health information custodians (either named health care organizations or named professions in the Health Information Regulation) and their affiliates (employees, volunteers, contractors, and other authorized people who work for a custodian).
• The Personal Information Protection Act (PIPA) (4) governs personal information, including both health and non-health information, held by private-sector organizations in Alberta. This includes private practices that provide speech-language pathology or audiology services, non-profit organizations, and professional regulatory bodies.
• The Access to Information Act (ATIA) (2) provides rules and processes for individuals accessing personal records that are in the control of public bodies and aims to protect confidential information required to ensure effective operations of government and public bodies. ATIA came into force in June 2025, replacing the access to information component of the Freedom of Information and Protection of Privacy Act (FOIP). It applies to public bodies in Alberta, including government departments and agencies, school boards and charter schools, universities and colleges, municipalities, and police.
• The Protection of Privacy Act (POPA) (3) governs the ways a public body may collect, use or disclose personal information. POPA replaces the privacy component of the FOIP Like the ATIA, POPA also applies to public bodies in Alberta.
• As well, the Children First Act (CFA) (5) supplements information sharing already outlined under ATIA, POPA and HIA, by outlining additional circumstances where information about children can be collected, used, and disclosed. It supports appropriate information sharing between individuals and organizations that plan or provide programs and services for children.

Additional information regarding privacy legislation and professional obligations may be found in Section F. Security and Confidentiality of Records. If you are unsure if or how these changes apply to you, it is recommended that you discuss with your employer (if applicable), to ensure you comply with organizational privacy policies. You may also consult legal counsel for advice, as needed.

This guideline addresses the responsibilities of speech-language pathologists (SLPs) and audiologists in the preparation, maintenance, communication, safeguarding, and disposal of clinical records.

ACSLPA recognizes that variations in practice setting and types of interventions provided will affect the type of documentation required. This guideline provides information applicable to all SLPs and audiologists practicing in Alberta. The actual application of the guideline will depend on the professional service being provided.

Various types of records exist to fulfill the key purposes of record keeping; namely, communication with clients, collaborators, and stakeholders for the purposes of continuity of care and overall professional accountability (6).

Although the primary focus of this guideline is clinical documentation and record keeping, a full range of record types is outlined below. Depending on the practice setting, context, and legal requirements, the SLP or audiologist will be expected to maintain more or less of these various record formats.

1. Clinical Records

Clinical records contain details related to services provided to the client.  They are kept in the client’s individual file or chart.  Clinical records serve multiple purposes: rationale to support clinical decision making, delineating the care plan, documenting the effectiveness of intervention, communicating the delivery of professional services, promoting continuity of care, and providing a legal record of events (6).

2. Administration / Support Records

Administration/support records are typically maintained by the employing agency or by the private practitioner.  Administration/support records may include the following:

1. 1. Personnel files (including resumes, criminal record checks, reference checks, performance evaluations, disciplinary records, training/continuing education records, records related to leaves, lay off or termination of employment, etc.).
   2. Student documents (i.e., for students enrolled in a graduate SLP or audiology program of study, supportive personnel practicum students, etc.).
   3. Human resources documents (e.g., employment applications, contracts, employee benefit plans, etc.).
   4. Occupational health and safety documents and records.
   5. Legal documents (e.g., professional liability insurance, corporate documents, shareholder documents, etc.).
   6. Logbooks (e.g., mileage and telephone logs).
   7. Fixed asset listings/registers.
   8. Operational manuals (e.g., employee and quality control manuals).

3. Financial Records

Financial records ensure effective financial management, controls, reporting, and compliance with applicable laws.  They are also necessary for tax and non-tax related purposes as required by the Canada Revenue Agency (7).  As with all businesses, SLPs
and audiologists who work in private practice or non-publicly funded settings should maintain an effective and efficient accounting system.  This system should include the following: cash records, customer records, supplier records, employee records
(i.e., salary and deductions, etc.), lender records, owner/shareholder records, and
government records.

4. Equipment Service Records

Equipment service records are necessary when the proper functioning of equipment may impact client health and safety, or the accuracy of assessment results (e.g., audiometric testing equipment). Calibration and/or inspection of equipment as per manufacturer’s standards (i.e., daily, weekly, monthly, annually as required) should be documented in a record that includes the date, the service provided, and who/where the service was completed in the event that a problem surfaces at a later date (6). Infection prevention and control (IPC) records related to critical and semi-critical device reprocessing would also be included in this category, as would records related to any equipment malfunctions and corresponding repairs.

5. Transitory Records

Transitory records are documents of short-term use and are not part of an official record-keeping system.  They may include documents used for a temporary purpose (e.g., phone messages, post-it notes, invitations, etc.), exact copies of main records
(e.g., working files, otherwise known as shadow or ghost files), unsolicited materials (e.g., unsolicited resumes), and draft reports (no longer required) that were used in the preparation of formal documents.  Transitory records do not include any documents that fall into the previously stated record categories. They are typically destroyed when they are no longer useful.

1. All Records

The following principles of good record keeping should be implemented regardless of whether a paper-based or electronic recording format is used (6, 10):

a. Minimum Requirements for All Records

• • Name and professional designation of the person documenting the information (refer to Advisory Statement, Using Your Protected Professional Designation the Right Way). ^{Indicator d.i.}
  • Name and professional designation of the person taking professional responsibility for the work (if not the person who created the record-see section Supervisory Responsibilities). ^{Indicator d.ii.}
  • Names and titles of assisting professional service providers and assisting unregulated support personnel. ^{Indicator d.iii.}
  • First and last name of the client that the record pertains to, and a tracking number (if one is used). Client identification in the form of either a name or a tracking number should be included on each page of the record. ^{Indicator d.iv.}
  • Date that procedures and records were completed. ^{Indicator d.v.}
  • Time that procedures were completed, if clinically relevant. ^{Indicator d.vi.}

b. Quality Requirements for All Records

• • Document accurate, precise, and objective information supported by facts.
  • Document clearly.
  • Proofread notes to minimize any ambiguity.
  • Document concisely. Point form is acceptable.
  • Use correct spelling and terminology that is understood by others.
  • Record events, decisions, outcomes, etc. in chronological order. ^{Indicator c.}
  • Complete during or immediately after client contact (contemporaneously), and not ahead of time.
  • If a late entry is made, it will include the current date and time, a notation that the entry is late, and the date and time of the events described in the late entry. ^{Indicator g.}

c. Use of Abbreviations

• • Use abbreviations as follows: any term must be written out in full, with the abbreviation in brackets the first time it is stated in any continuous document entry (i.e., a formal report would constitute one continuous document entry, as would daily chart notes). Subsequent use of the abbreviation in the continuous document would be acceptable ^{Indicator i.} (eg., “therapy” for the first entry, could be written as “therapy (Tx)” and then just as “Tx” in all following entries).  Regulated members should also be aware of any employer rules for use of acceptable abbreviations.

d. Creating and Signing Records

• • The person who was directly involved in the event completes the record.
  • The SLP or audiologist does not chart or sign on behalf of another individual (see exceptions under Section Supervisory Responsibilities).
  • Record entries (e.g., daily progress notes or chart notes) should be signed by the person who made the entry including name and credentials. Additional requirements may be mandated by the employing agency.
  • Formal reports (e.g., assessment reports, intervention summaries, progress reports, discharge summaries, etc.) for clients followed by support personnel should be completed and signed by the supervising SLP or audiologist. This principle is in keeping with recommendations outlined in:
    • ACSLPA’s, Speech-Language Pathologists’ and Audiologists’ Guideline for Working with Support Personnel (2021) (11).
  • Daily progress notes or chart notes completed by support personnel should be signed by the support person as they are the individual who provided the intervention and has first-hand knowledge of the service. Support personnel must clearly indicate their status on any documentation completed. The supervising SLP or audiologist should be aware of and follow any employer or agency requirements related to co-signing of entries.
  • Formal documentation, including reports and letters for clients followed by a clinical practicum student may be written by the student under the supervision of the registered SLP or audiologist. The supervising SLP or audiologist should review the report, write or stamp their name, designation and that they have reviewed the report, and sign the report (e.g., “this document has been read & reviewed by J. Smith R.SLP/R. Aud”).
  • Students should not write reports for individuals they did not assess/treat/follow.

e. Expectations Specific to Paper-Based Records

In addition to the general principles outlined above, the following are specific to paper-based records (6, 10):

• • Write legibly in blue or black ink to establish a permanent record and clear transmission through electronic means (e.g., fax or scan).
  • Ensure unauthorized alterations are not made to source documents. Where corrections are made, they should be made using the following approach for written entries:
    • Draw a single line through the entry so that it is clearly deleted, yet still readable. You may use a single word above the through-line such as “error” to clearly indicate that this entry was made in error. Initial the deletion.
    • Indicate the location of the correct entry.
    • Record the correction with the date and time.
    • Initial the correction.
  • Do not remove pages from the record.
  • Do not leave blank lines or white space between entries in the record to avoid the risk of additional information being added by another individual.
  • Ensure each page is dated and/or numbered to eliminate confusion should pages get mixed up.

f. Expectations Specific to Electronic Records

Principles specific to electronic recording formats include the following (6, 10):

• • All entries made/stored electronically are considered a permanent part of the client record and are governed by the same requirements as paper records.
  • Use the appropriate features of the electronic documentation system to make corrections or late entries. In some situations, this may mean providing an additional entry that is dated for the day the correction is made, indicating which section of the record is being revised and why.
  • Ensure that the software used leaves an audit trail that can reveal who accessed the record, what changes were made, when each change was made, and by whom.
    ^{Indicator h.}
  • Ensure the confidentiality of passwords used to access the electronic record. Do not share passwords with colleagues under any circumstances.
  • Ensure log off occurs when a workstation is left unattended (this may include time out screens); the user who is logged on is responsible for all activity completed under their log on credentials.
  • Document using the workflows and tools agreed upon by the organization so that other team members can find information in the location where it is expected.
  • Ensure mechanisms exist to safeguard access to digital/electronic signatures by unauthorized individuals.
  • Do not keep information outside of the electronic record as this can disrupt the cohesiveness of the record for decision-making, review and retention purposes. Where information must be maintained outside the electronic record (in a paper “shadow” file), clearly indicate in the electronic record that there is a corresponding paper record where additional information is housed.
    • Ensure copyright permissions have been obtained prior to uploading or scanning documents to an electronic record.

g. The Alberta Electronic Health Record

The Alberta Electronic Health Record Regulation (AEHRR) (12) defines the Alberta Electronic Health Record as the integrated health information system established to provide shared access by authorized custodians (e.g., Alberta Health Services, the Minister and the Department, and independent health service providers), to prescribed health information in a secure environment.

• • Under the AEHRR, authorized custodians who use prescribed health information through Netcare must keep an electronic log containing specific user information. A detailed listing of this information and additional details regarding the AEHRR may be accessed by visiting: https://www.acslpa.ca/the-college/governing-legislation-bylaws/.
  • Please refer to Section F.2. Protection of Personal Information on Personal Computers, Laptops, or Other Mobile Devices for additional information regarding the security and confidentiality of electronic information.

2. Clinical Records

a. Client Identification

• • First and last name on each page of the record.
  • Date of birth.
  • Client identification number or other identifying number as required (e.g., school ID number, Alberta healthcare number, etc.).
  • Third-party number, as required (e.g., Worker’s Compensation Board, Veterans Affairs Canada, etc.).
  • Alternate decisionmaker information, as required.
  • For minors, inclusion of the names of parents/guardians and details of custodial rights, if relevant.

b. Client Contact Information

• • Personal contact information
    • home and/or business and/or cellphone number
    • mailing and/or home address, as required.

c. Screening Information

• • Client identification and contact information should be maintained for individuals who have been screened by an ACSLPA registrant or their designate (i.e., support personnel) for a speech, language, hearing, and/or feeding concern, and should include specifics, as outlined above.
  • In the case of group screening, the client’s name, and a reference to the group with whom the client is affiliated, is required.
  • The nature and result of every screening performed should be documented, including:
    • documentation of any action taken by the member based on the screening, and
    • a record of consent provided by the client.

d. Documentation Requirements

• • Relevant case history (including health, family, and social history) ^{Indicator e.i.} and intake information including referral source (e.g., physician, teacher, other professionals, parents), as appropriate.
  • Presenting concern, ^{Indicator e. ii.} and any updates as of the date of assessment.
  • Dates and entries related to any communication to or with the client, family, or decision-makers, including missed or cancelled appointments, telephone, or electronic contact. ^{Indicator e. iii.}
  • Indication of any input that the client/family had into the assessment and intervention process, including involvement in goal setting and in transition and discharge planning.
  • Assessment of relevant structure and function, and the impact on activities and participation. ^{Indicator e. v.}
  • Notation of any adverse or unusual events during assessment or intervention. ^{Indicator e. iv.}
  • Description of client strengths and needs relevant to communication, feeding, hearing, and/or balance.
  • Relevant supports and services.
  • Plan of care outlining intervention goals and strategies. ^{Indicator e. vi.}
  • Responses to interventions and progress toward achieving goals documented in the plan of care. ^{Indicator e. viii.}
  • Recommendations. ^{Indicator e.ix.}
  • Transition/discharge plans, including the reason for discharge. ^{Indicator e. x.}
  • Referrals to other professionals, reports and correspondence from other professionals, equipment, and other services provided. ^{Indicator e.xi.}
  • Communications with referring providers and/or care partners. ^{Indicator e.vii.}
  • Notation of any change in therapist or support personnel. ^{Indicator d. vii.}
  • Notation of chart closure. ^{Indicator d. viii.}
  • Evidence of informed consent, whether that be a signed consent form or documentation of a conversation with the client regarding consent, and the resulting outcome. Include any timelines or conditions related to the consent. ^{Indicator d. ix.}

e. Standardized Intervention Protocols and Procedures

• • Standardized intervention protocols and procedures may be developed in situations where a standard or documented program is being followed
    (e.g., language facilitation/intervention provided in a group or classroom format that addresses specific goals or targets over the duration of a set number of sessions).
  • Include the care plan as part of the standard protocol, clearly outlining the goals of the program.
  • Document on a “charting by exception” basis, noting client contacts, communications, any deviations from the plan of care or clinical protocol used, responses to intervention, and any outcomes of the clinical activity that fall outside the expected range.

f. Documentation by more than One Professional

In situations where charting in a client file may be completed by more than one professional (of the same or different disciplines):

• • Consider maintenance of a signature log listing care providers’ signatures/initials. This may be helpful should legal issues arise, and it is necessary to identify the maker of an entry.
    • Keep signature log either in individual client records or as part of
      office records.
  • If two or more people are involved in client care (e.g., a multi-disciplinary team of health-care professionals), individual parties may document and sign for the care they provided, or
  • One person can indicate in the record that care was provided by the professionals named in the entry. In this instance, the record-keeper should designate specifically what care was provided by which professional. In this situation, co-signature is not required.

g. Financial Records

h. Supervisory Responsibilities

SLPs and audiologists may have supervisory responsibilities related to support personnel, graduate students completing clinical practicums in their respective fields, and/or staff coordination and/or management functions. The act of supervision includes reviewing student, staff and support personnel’s work including any documentation they have completed.

• • Record entries (e.g., daily progress notes, chart notes) completed by support personnel and clinical practica students should be signed by the individual completing the entry. Students and support personnel must clearly indicate their status on any documentation completed.
  • Formal reports (i.e., assessment reports, intervention summaries, progress reports, discharge summaries, etc.) for clients followed by
    support personnel should be completed and signed by the supervising SLP or audiologist.
  • Formal documentation, including reports and letters for clients followed by a clinical practicum student, may be written by the student under the supervision of the registered SLP or audiologist. The supervising SLP or audiologist should review the report, write or stamp their name, designation and that they have they have reviewed the report, and sign the report (e.g., “this document has been read & reviewed by J. Smith, R.SLP/R.Aud”).
  • If a staff SLP or audiologist is unable to sign completed documentation due to, for example, events such as a sudden medical leave, the disclaimer “dictated/composed but not read by” should be included in the signature block of the report. Should the supervisor choose to sign off on the completed report, the intent of the signature must be made clear and be indicated in the report (e.g., “this report was written by Jane Smith, R.SLP/R.Aud and has been reviewed by Mary Brown, R.SLP/R.Aud, supervising SLP/Aud”).

Under the Health Information Act (HIA) (1), Personal Information Protection Act (PIPA) (4), and Protection of Privacy Act (POPA) (3), if a client believes that personal or health information contains an error or omission, they may request that the responsible party^[1] who has control of that information correct or amend the record.

^[1}FOOTNOTE: HIA employs the term “custodian”; PIPA employs the term “organization” and ATIA and POPA employ the term “head of public body”. For the purposes of this guideline, the term “responsible party” will be used to refer to all three situations.

• Generally, requests to correct or amend their information must be made in writing.
• Responsible parties in health-care settings, private-sector organizations and public bodies must make every reasonable effort to respond within legislated time frames and assist individuals with their requests.
• When a correction or amendment is made, the original entry must be maintained in the original form. ^{Indicator r. i.}  The corrected entry or amendment should be inserted into the record, indicating the date and name of the person making the correction or amendment (12).

For further information and details, each piece of legislation may be accessed by visiting: https://www.acslpa.ca/the-college/governing-legislation-bylaws/.  Responsible parties who are employed by a public body, under ATIA and POPA or a custodian as defined in HIA, may wish to consult the Privacy Officer when considering a request for correction.

1. Transmission of Records

The security and confidentiality of records is at increased risk when records are transmitted from one location to another.  SLPs and audiologists should ensure that all necessary steps are taken to reduce such risk (6):

a. Records Being Transmitted Via Mail or Courier

• • Place information in a sealed envelope, clearly identified as confidential.
  • As a tracking mechanism, document the date that mail was sent in the client’s file or chart.

b. Records Being Transmitted Via Facsimile (12)

• • Use secure and confidential systems. If possible, use encryption technology or other technology to secure fax transmissions.
  • Ensure that the facsimile will be retrieved immediately or stored in a secure area where unauthorized persons cannot see the documents. If there is no appropriate location, someone should be watchful of the machine while in operation.
  • Verify fax numbers and distribution lists prior to transmitting.
  • Check activity reports to verify successful transmission.
  • Include a confidentiality statement on the cover sheet stating that the information is confidential, to be read by the intended recipients only and a request for verification that facsimiles received in error were destroyed without being read.
  • Be aware that your fax number can be re-assigned once you give it up.
  • It is possible to “purchase” the rights to that line so that the number is never re-assigned.

c. Records Being Transmitted Electronically (6)

• • Use secure and confidential systems.
  • Uses encryption technology, as required, to ensure safe transmission.
  • Password protection of electronically transmitted files containing personal information may be considered in situations where files are not encrypted,
    but one has control over both the sending and receiving ends of the electronic exchange.
  • If necessary, for the purposes of transmission, consider removing identifying information (e.g., individual identifier numbers, last names) from email messages or electronically transmitted reports (e.g., when you are sending a draft report to someone else to review content). This information can be re-entered once confirmed and then a final copy can be sent via a more secure approach.
  • Verify email addresses of intended recipients prior to transmitting.
  • Request an acknowledgement of receipt.
  • Include a confidentiality statement stating that the information is confidential, to be read by the intended recipients only, and that the email and any attachments are to be deleted if received in error.

Access to and disclosure of records containing personal information must occur in accordance with the applicable privacy legislation ^{Indicator n.} (refer to Section F.1. Privacy Legislation and Professional Obligations of this document).

2. Retention of Records

a. General Considerations

• • Record retention must be considered for both electronic and paper records.
  • Ensure the back up of electronic records to ensure continuity of care in the event records are compromised. ^{Indicator m.}
  • Client records should be retained, as below, even in the event of the death of a client. The estate of the client may require information related to the care and services that were received.
  • Equipment service records should be maintained for 10 years from the date of the last entry. ^{Indicator s. iv.}

b. Adults

• • In Alberta, specific legislation outlining record retention requirements for health-care professionals, including registered SLPs and audiologists, does not exist.
  • The Health Information Act (1) outlines requirements regarding record retention in hospitals.
  • Consistent with the Limitations Act (14), ACSLPA has adopted a minimum retention period for adult records of at least 11 years and three months since the date of last service (which matches the amount of time records would be needed to defend against a civil claim). ^{Indicator s. i.}

c. Persons under disability

• • A “person under disability” is an adult who is under a legal guardianship or lacks the mental capacity to make judgments about a claim. From a legal perspective, to ensure that records are not destroyed before a claim is filed and served, records for a “person under disability” must be retained for three years and three months after the individual’s death. ^{Indicator s. ii.}

d. Minors

• • Consistent with the Limitations Act (14), ACSLPA has adopted a minimum retention period for minors’ records of at least 11 years and three months after their 18^{th Indicator s. iii.}

e. Test Protocols

• • Test protocols should be retained according to the guidelines outlined above.
  • In situations where employer policies do not allow for the storage of test protocols (i.e., raw data) on the client’s main health record or cumulative file, it is the SLP or audiologist’s responsibility to keep the protocols for the retention period noted above.
  • Test protocols should be retained with documentation (e.g., progress notes, reports) that provides interpretation of the protocol information.
  • It may not be possible to maintain test protocols electronically (depending on copyright). Individual SLPs and audiologists should be aware of copyright laws and requirements.
  • Copies of care pathways or protocols should be retained according to the guidelines outlined above in circumstances where client care delivery and documentation is according to a protocol, or where charting by exception is employed. ^{Indicator p.}

f. Considerations re: paper-based and electronic records

• • Assessment and intervention service records may be retained either in electronic format or in hard copy taking the appropriate safeguards and precautions to ensure confidentiality and security.
  • If paper records are transferred to an electronic format for storage purposes, they should be reviewed to ensure they are legible, and that all relevant information has been saved electronically prior to destroying the hard
    copy versions.
  • Different legislation, for example, POPA, has requirements regarding retention and use of personal information in automated systems to generate content (e.g., making every reasonable effort to ensure the accuracy and completeness of personal information).

3. Storage of Records

a. All Records

Privacy statutes impose an obligation to take reasonable measures to guard against unauthorized access to information.

• • Hard-copy client records should be stored in a secure location, such as a locked filing cabinet or file room.
  • Principles regarding the storage of electronic client files can be found under Section F. Security and Confidentiality of Records, 2. Protection of Personal Information on Electronic Devices, and 3. Protection of Personal Information and Cloud Technology.

b. Record Management Upon Closure or Transfer of Practice

Practitioners who work in private-practice settings are responsible for ensuring that records are dealt with in an appropriate manner upon closure or transfer of the practice.

• • Records should be transferred, as necessary, to another registered SLP or audiologist.
  • In the case where a speech-language pathology or audiology business is sold to a new owner, custody of records can be transferred to the new owner. This should be stipulated in the contract for the sale of the business and should specify that the new owner retain the files in a manner consistent with the requirements of privacy legislation and the Standards of Practice.
  • Clients should be informed of file transfers and should also be given the option of having their records transferred to an SLP or audiologist of their own choice.
  • If the clinician is unable to provide ongoing management or storage of the client records on their own premises, they should be put into commercial storage for custody.
  • If there is no receiving SLP or audiologist available, records should be transferred directly to the individual client.
  • SLPs and audiologists who maintain custody and control of records (or those who are most responsible for records) in a speech-language pathology or audiology practice must ensure that there are plans in place for all aspects of record management and maintenance to ensure that client records are not abandoned. Regulated members should appoint another health care professional (preferably a member of the same profession) who agrees to serve as the incoming responsible party if they cannot fulfill their duties.

4. Disposal of Records

After the appropriate time has elapsed (see Section E.2. Management of Records – Retention), records should be destroyed.

• • Generally accepted methods of disposal would include:
    • Shredding hard copy personal and health information.
    • Permanently purging files from a computer hard drive. Simply deleting files is not adequate as they can be reconstructed.

1. Privacy Legislation and Professional Obligations

ACSLPA’s Code of Ethics and Standards of Practice outline expectations regarding the privacy and confidentiality of client records. Provincially, there are also four key pieces of legislation that outline how information should be dealt with in Alberta, and additional legislation related to information regarding children in the form of the Children First Act. Each of the four legislation sets rules for how information should be collected, protected, used, and disclosed, as well as gives individuals the right to access information and to request a correction of information.

While the underlying principles outlined in these pieces of legislation are similar, they differ in terms of the types of information to which they apply (i.e., health information, non-health information) and to which individuals/organizations they are applicable. Both PIPA and HIA have mandatory requirements for reporting breaches of information (unauthorized sharing). Under POPA, the OIPC, relevant Minister and affected individuals must be notified of privacy breaches in certain circumstances i.e., where there is a significant risk of harm.

Each piece of legislation may be accessed by visiting: https://www.acslpa.ca/the-college/governing-legislation-bylaws/.

Helpful resources (16, 17, 18) that provide information on how to understand and use each piece of legislation can be found on the Office of the Information and Privacy Commissioner of Alberta website at: http://www.oipc.ab.ca. Online courses regarding information sharing are also available on the Government of Alberta website at:  https://www.alberta.ca/information-management-and-education.

In the case of an employing organization, the obligation to implement and enforce appropriate policies regarding security and confidentiality of records rests with the employer, who would be considered the custodian/organization/head of the public body designated in the applicable privacy legislation.

ACSLPA regulated members who are in independent practice are responsible for familiarizing themselves with the appropriate legislation and their corresponding responsibilities.

The rapidly changing nature of technology necessitates maintaining currency as privacy requirements evolve. In addition, members need to remain apprised of legislation updates and revisions.

a. Privacy Breaches

A privacy breach is a loss or unauthorized access to or disclosure of personal or individually identifying health information. The most common privacy breaches happen when personal information is stolen, lost, improperly accessed, or mistakenly disclosed.

• • If a breach of personal information occurs, the organization must determine if it presents a risk of significant harm to an individual due to the loss or unauthorized access or disclosure. Please refer to OIPC resources (15,16) for detailed information.
  • If risk of significant harm has been determined, then private sector organizations and responsible parties must report the breach to the OIPC and may also be required to notify affected individuals.

Regulated members should familiarize themselves with the requirement for breach reporting in keeping with applicable legislation.

b. Health Information Act (HIA)

The HIA (1) governs health information by addressing protection of individually identifying health information.  It defines individuals and organizations that it applies to as either custodians or affiliates.

Under HIA, custodians are:

• • Gatekeepers who must be vigilant in determining what information will be collected, shared, and with whom it will be shared, in accordance with
    the legislation.
  • HIA and accompanying regulations define over 20 types of custodians, including provincial health corporations, hospital operators, continuing care home operators, members of the College of Physicians and Surgeons of Alberta, members of the Alberta College of Pharmacists, licensed pharmacies, and the Ministers named in the Act.

An affiliate, by contrast, is a person who:

• • is an individual employed by a custodian;
  • performs a service for a custodian as an appointee, volunteer, or student;
  • performs a service for a custodian under a contract or agency relationship with the custodian;
  • is exercising the right to admit and treat patients at a hospital as defined in the Hospitals Act;
  • is an information manager, as defined by HIA; or
  • is designated under the regulations to be an affiliate.

c. Personal Information Protection Act (PIPA)

The PIPA (4) governs personal information, including both health and non-health information, held by private-sector organizations in Alberta.

• • PIPA is applicable to private businesses (including private practices that provide SLP or audiology services), non-profit organizations and professional regulatory bodies.
  • As regulated members of ACSLPA have not been added to the definition of a custodian under HIA, those registrants who are in private practice continue to be subject to PIPA.

d. Access to Information Act (ATIA)

The ATIA (2) governs public bodies including the Government of Alberta ministries and departments, boards and commissions, school boards and charter schools, universities and colleges, municipalities, and police. It provides rules and processes for individuals accessing personal records that are in the control of public bodies and aims to protect confidential information required to ensure effective operations of government and public bodies.

• • ATIA applies to personal information about an identifying individual, including health and health care history. Health information may have additional restrictions under HIA.

e. Protection of Privacy Act (POPA)

The POPA (3) governs the ways a public body may collect, use or disclose personal information. Like the ATIA, POPA also applies to public bodies in Alberta.

• • POPA applies to personal information about an identifying individual, including health and health care history.

f. Children First Act (CFA)

The CFA (5) supplements information sharing already outlined under ATIA, POPA and HIA, by outlining additional circumstances where information about children can be collected, used, and disclosed.

• • It supports appropriate information sharing between individuals and organizations that plan or provide programs and services for children, including government departments, educational bodies, health care bodies, police services, parents or guardians, and others under the information sharing provisions (Section 4) of the Act.
  • Members employed by public bodies (i.e., health or education settings) or under agreement with a public body (i.e., contractual workers), may be subject to the provisions of the CFA.

2. Protection of Personal Information on Electronic Devices

SLPs and audiologists who store personal information regarding clients on personal computers, laptops, or other mobile devices must ensure that the information is protected in case their device is lost or stolen.

• Privacy statutes impose an obligation to take reasonable measures to guard against unauthorized access to information.
• “Reasonable measures” to guard against unauthorized access to information on a personal electronic device would include the following:
  • Password protection using complex passwords.
  • Anti-virus and anti-malware software.
  • Encryption of personal information.
  • For mobile devices, ensuring that the device is set to “auto-lock” when not in use.
  • Locking devices to furniture when left unattended so they cannot be easily removed.

3. Protection of Personal Health Information and Cloud Technology

Cloud computing is the delivery of computing services over the Internet. Among other things, organizations and individuals may use cloud computing services for data processing, storage, and backup.

• Under Canada’s private sector privacy legislation, an organization that collects personal information from an individual is accountable for the personal information even when it is outsourced for processing to third-party providers.
• Terms of service must be reviewed to ensure that the personal information shared with the provider will be managed consistent with the privacy obligations under relevant privacy legislation.
• An individual or an organization needs to ensure that appropriate consents have been obtained if personal information is going to be outsourced to a third-party cloud service.
• Personal information that is transferred to another country (i.e., stored on a server in another country) is subject to the laws of that jurisdiction. Information about where cloud technology is housed should, therefore, be disclosed to clients.
• Written information about the policies and practices of the service provider should be available on request.

Helpful resources (20) regarding cloud computing, including cloud computing key questions and additional resources can be found on the website of the Office of the Information and Privacy Commissioner of Alberta at http://www.oipc.ab.ca.