← All Professional Practice ← Reference Library

Electronic Information Management

Professional Practice

Most MT practices now use some form of electronic system for scheduling, documentation, billing, or communication. Managing digital information securely and effectively is a professional obligation under PHIPA, not just a convenience. This article covers EHR systems, digital document management, cloud security, backup protocols, and PHIPA compliance for digital records.

Why This Matters for MTs

  • PHIPA applies equally to paper and electronic records. Digital records create additional security considerations (hacking, data breaches, cloud storage vulnerabilities) that paper records do not.
  • Practice management software is now standard in multi-therapist clinics and increasingly expected in solo practices. Competence with these systems is a practical necessity.
  • A data breach involving client health information can result in regulatory complaints, Information and Privacy Commissioner (IPC) investigations, and loss of client trust.
  • FOMTRAC identifies electronic information management as a professionalism competency, yet it is rarely covered in MT curricula.

Key Principles

Electronic Health Records (EHR) Systems

What EHR Systems Do
  • Store client demographics, health histories, SOAP notes, assessment findings, and treatment plans electronically.
  • Manage scheduling, appointment reminders, and waitlists.
  • Generate receipts and process insurance billing (including direct billing).
  • Track outcome measures over time (some systems generate progress graphs).
  • Facilitate communication (secure messaging with clients, referral letters).
Common EHR Platforms for MT
  • Jane App: Cloud-based, widely used in Canadian MT and allied health. Scheduling, charting, billing, online booking, telehealth. PHIPA-compliant hosting in Canada.
  • Cliniko: Cloud-based practice management. Scheduling, documentation, billing. Data hosted outside Canada (check PHIPA implications).
  • SOAP Vault: Specifically designed for massage therapists. SOAP documentation, treatment tracking.
  • Universal Office (UO): Desktop-based. Common in multidisciplinary clinics. Scheduling, billing, documentation.
  • Custom solutions: Some clinics use general-purpose tools (Google Workspace, Microsoft 365) for scheduling and documentation. These require careful configuration to meet PHIPA standards.
Selecting an EHR System Key questions to evaluate:
Criterion What to Ask
PHIPA compliance Is data stored on servers located in Canada? What encryption standards are used?
Data ownership Who owns the data — you or the vendor? Can you export all records if you switch systems?
Access controls Can you set role-based access (admin, therapist, front desk)? Is there audit logging?
Backup Does the vendor perform automatic backups? How often? What is the recovery process?
Uptime guarantee What happens if the system goes down during clinic hours? Is there an SLA?
Support Is customer support available during your clinic hours? Is support based in Canada?
Cost Monthly fee structure (per user, per location, flat rate). Hidden costs (setup, training, data export).

Digital Document Management

Creating and Organizing Digital Records
  • Use consistent file naming conventions: `LastName-FirstName-YYYY-MM-DD-DocumentType` (e.g., `Smith-John-2026-04-23-SOAP.pdf`).
  • Organize files in a logical folder structure (by client, by date, or as the EHR system dictates).
  • Scan paper documents (intake forms, consent forms, referral letters) and store digital copies alongside electronic records.
  • Use PDF format for documents that need to be preserved in their original format (signed consent forms, third-party reports).
Digital Signatures
  • Electronic signatures on consent forms are legally valid in Ontario under the Electronic Commerce Act, 2000.
  • Ensure the signature method provides verification of identity and intent (not just a typed name).
  • Some EHR systems include built-in digital signature capture on tablets or phones.
Document Retention (Digital)
  • The same retention rules apply to digital records as paper: 10 years from last entry, or until a minor client turns 28.
  • At the end of the retention period, digital records must be permanently deleted — not just moved to a recycle bin. Use secure deletion methods or engage a certified data destruction service.
  • Ensure backup copies are also deleted when the primary records are destroyed.

Cloud Storage Security

Benefits of Cloud Storage
  • Automatic backups and redundancy (data survives hardware failure).
  • Access from multiple devices and locations (useful for mobile practitioners or multi-location clinics).
  • Vendor-managed security updates and infrastructure maintenance.
  • Scalability (storage grows with your practice).
PHIPA Requirements for Cloud Storage
  • Data residency: PHIPA does not explicitly prohibit storing data outside Canada, but the IPC strongly recommends Canadian hosting. If data is stored in another jurisdiction (e.g., US servers), it may be subject to that country's laws (e.g., US PATRIOT Act).
  • Encryption: Data must be encrypted both in transit (during upload/download — HTTPS/TLS) and at rest (stored on the server).
  • Access controls: Only authorized personnel should have access. Use role-based permissions.
  • Vendor agreements: Review the cloud provider's privacy policy and data processing agreement. Ensure they will not access, use, or disclose your clients' health information for their own purposes.
  • Business associate / data processing agreement: Have a written agreement with any cloud vendor that handles PHI, specifying their privacy and security obligations.
Cloud Storage Risks
  • Vendor bankruptcy or service discontinuation (ensure data export capability).
  • Security breaches at the vendor level (you are still responsible for your clients' data).
  • Internet outage preventing access to records during clinic hours (maintain a contingency plan).

Backup Protocols

The 3-2-1 Rule
  • 3 copies of your data (the original + 2 backups).
  • 2 different media types (e.g., cloud storage + external hard drive).
  • 1 copy offsite (not in the same physical location as the original — protects against fire, flood, theft).
Backup Schedule
  • Daily: Automatic cloud backup of the EHR system (most cloud-based EHRs do this automatically).
  • Weekly: Backup of any locally stored files (scanned documents, financial records, templates) to an external drive and/or a secondary cloud location.
  • Monthly: Verify backup integrity. Test the restoration process by recovering a sample file.
  • Annually: Review and update the backup strategy. Ensure it accounts for practice growth (more clients = more data).
Backup Security
  • Encrypt all backup media (external drives, USB drives).
  • Store physical backup media in a locked, fireproof location.
  • Do not leave unencrypted USB drives or external hard drives in unlocked drawers or vehicle trunks.

PHIPA Compliance for Digital Records

Core Obligations
  • Collection: Collect only the personal health information necessary for the purpose (principle of data minimization).
  • Use: Use PHI only for the purpose for which it was collected (treatment, billing, quality assurance) unless the client consents to another use or an exception applies (e.g., mandatory reporting).
  • Disclosure: Disclose PHI only with the client's consent or as required by law. Use the principle of minimum necessary disclosure.
  • Security: Implement administrative (policies, training), technical (encryption, access controls, audit logging), and physical (locked rooms, secured devices) safeguards.
  • Breach notification: If a privacy breach occurs involving electronic records, notify affected individuals and report to the IPC if the breach poses a risk of significant harm.
Practical Security Measures
  • Passwords: Use strong, unique passwords for every system. Implement multi-factor authentication (MFA) wherever possible.
  • Device security: Lock computers and tablets when stepping away (even briefly). Enable automatic screen lock after 2-5 minutes of inactivity.
  • Wi-Fi security: Use WPA3 (or minimum WPA2) encryption on clinic Wi-Fi. Do not use public Wi-Fi for accessing client records. If working remotely, use a VPN.
  • Email: Do not send PHI via unencrypted email. Use the EHR's secure messaging system, or use an encrypted email service if sending clinical information to other providers.
  • Mobile devices: If you access client information on a phone or tablet, ensure the device is password-protected, encrypted, and has remote wipe capability in case of loss or theft.
  • Staff training: Train all staff (including front desk) on digital privacy and security protocols. Document the training.
  • Audit logging: Use systems that track who accessed which records and when. Review audit logs periodically for unauthorized access.

Practice Management Software Overview

Feature Why It Matters Standard in Most Systems
Online booking Reduces phone calls, allows 24/7 booking Yes
Automated reminders Reduces no-shows (email, SMS, or app notification) Yes
Charting / SOAP notes Structured documentation with templates Yes
Direct billing Submits insurance claims electronically Most (varies by insurer)
Receipt generation Produces insurance-compliant receipts Yes
Outcome tracking Charts pain scores, ROM, or functional measures over time Some
Telehealth Video consultations for follow-ups or assessments Some
Reporting Revenue reports, appointment statistics, utilization rates Yes
Multi-practitioner support Separate practitioner schedules, permissions, and revenue tracking Yes (cloud-based)

Clinical Application

  • Before selecting an EHR system, create a requirements list based on your practice model (solo vs. multi-therapist, single vs. multiple locations, insurance billing needs).
  • Implement MFA on all systems that support it — this single step prevents the majority of unauthorized access incidents.
  • Test your backup restoration process at least once before you actually need it.
  • Create a written privacy and security policy for your practice and review it annually.
  • If you are transitioning from paper to electronic records, do not discard paper records until the digital copies are verified and backed up. Maintain the original paper records for the full retention period.

FOMTRAC Alignment

  • PC 1.2w: Use electronic information management tools.
  • PI 1.2w.1: Use electronic tools for client records, scheduling, and billing.
  • PI 1.2w.2: Ensure electronic records meet privacy and security requirements.

CMTO Exam Relevance

  • MCQ questions may test PHIPA compliance for electronic records (encryption requirements, consent for electronic communication, breach notification obligations).
  • Scenarios involving email communication with clients or other providers test knowledge of when secure messaging is required vs. when standard email is acceptable.
  • Record retention rules apply equally to digital records — do not assume digital means different rules.

Key Takeaways

  • PHIPA applies equally to electronic and paper records, but digital records introduce additional security considerations (encryption, access controls, cloud data residency, breach response).
  • When selecting an EHR system, prioritize PHIPA compliance (Canadian data hosting, encryption, access controls, data export capability) over flashy features.
  • The 3-2-1 backup rule (3 copies, 2 media types, 1 offsite) protects against data loss from hardware failure, theft, or natural disaster.
  • Multi-factor authentication, automatic screen lock, encrypted Wi-Fi, and staff training are foundational digital security measures for any MT practice.
  • Digital record retention and destruction follow the same rules as paper: 10 years from last entry, with secure permanent deletion required at the end of the retention period.

Related

  • Ontario Health Legislation
  • Regulatory Guides
  • PIPEDA
  • Record Keeping
  • Regulatory Compliance
  • Practice Management
  • Third-Party Reporting

Sources

  • College of Massage Therapists of Ontario. (2024). Standards of practice. https://www.cmto.com/
  • College of Massage Therapists of Ontario. (2024). Record keeping: Regulatory guide. https://www.cmto.com/
  • Federation of Massage Therapy Regulatory Authorities of Canada. (2016). Inter-jurisdictional competency standards: Practice competencies and performance indicators for massage therapists at entry-to-practice.
  • Government of Ontario. (2004). Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A.
  • Information and Privacy Commissioner of Ontario. (2020). Health privacy guidance documents. https://www.ipc.on.ca/
  • Government of Ontario. (2000). Electronic Commerce Act, 2000, S.O. 2000, c. 17.
← All Professional Practice Reference Library →