skip to content

Confidentiality of Personal Health Information

Print page icon

Approved by Council: November 2000
Reviewed and Updated: November 2005

Downloadable Versions: Confidentiality of Personal Health Information | Confidentialité des renseignements personnels sur la santé

Other References: Circle of Care: Sharing Personal Health Information for Health-Care Purposes



This policy is designed to help physicians understand their legal and professional obligations to maintain patient confidentiality. It is intended to provide a general overview of the confidentiality requirements set out under the Personal Health Information Protection Act, 2004 (PHIPA)1 and to outline other professional obligations related to patient confidentiality and the practice of medicine. It is not meant to be construed as legal advice, nor does it address all matters pertaining to the confidentiality of patient information.

Given the complexities of the legal requirements, physicians are reminded that whenever there is uncertainty, they are advised to contact the Physician Advisory Service at the College, their legal counsel, the Canadian Medical Protective Association (CMPA)2 or the Information and Privacy Commissioner of Ontario for further direction.



The terms noted below will appear throughout this policy and have the following legal definitions under section 4 of PHIPA:

"personal health information", subject to certain exceptions,3 means identifying information about an individual in oral or recorded form, if the information,

  1. relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
  2. relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,
  3. is a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual,
  4. relates to payments or eligibility for health care in respect of the individual,
  5. relates to the donation by the individual of any body part or bodily substance,
  6. is the individual’s health number, or
  7. identifies an individual’s substitute decision-maker.

"identifying information" means information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual.



  1. Physicians must act in accordance with all of their professional and legal obligations.
  2. To establish and preserve trust in the physician-patient relationship, patients must be confident that their personal health information will remain confidential.
  3. Maintaining confidentiality is fundamental to providing the highest standard of patient care. Patients who understand that their information will remain confidential are more likely to provide the physician with complete and accurate health information, which in turn, leads to better treatment advice from the physician.


The College expects physicians to follow the regulations under the Medicine Act, 1991;4 and the rules under PHIPA when collecting, using or disclosing personal health information.5

While PHIPA establishes rules in relation to the “collection,” “use” and “disclosure” of personal health information, this policy will focus only on those pertaining to the “disclosure” of such information.

Disclosure of personal health information

A physician can only disclose his or her patient’s personal health information:

  • when he or she has the patient’s or substitute decision-maker’s consent and it is necessary for a lawful purpose;
  • where it is permitted under legislation, without the patient’s or substitute decision-maker’s consent; or
  • where it is required by law.


Generally, physicians need express or implied consent before disclosing personal health information.6

Physicians, however, are entitled to assume that they have the patient’s implied consent for the purposes of providing or assisting in providing health care, unless the physician disclosing the information is aware that the patient has expressly withheld or withdrawn consent.7 This means that, without reason to believe otherwise, physicians can share information with others involved within the patient’s circle of care8 without asking for the patient’s consent.

The patient’s express consent is required for providing his or her personal health information outside of the circle of care, except where otherwise directed by statute.

"Lock Boxes"

The term “lock box” applies to situations where the patient has expressly restricted his or her physician from disclosing specific personal health information to others – even to others involved in the patient’s circle of care.

Where in the course of treatment, a physician is not able to disclose to another physician or health care provider all of the information reasonably necessary for providing care, the physician must notify the recipient of that fact. Physicians are advised to discuss with patients the potential health risks associated with creating a lock box. These discussions and the patient’s decision should be well documented in the patient’s medical record.

Alternatively, if the lock box creates a situation where the physician feels the patient’s safety is at risk, the physician can refuse to provide treatment when it is not an emergency situation. The physician should explain the reasons for his or her decision not to treat the patient and note all relevant discussions in the patient’s health record.

It is to be noted that patients may not prevent the physician from disclosing personal health information permitted or required by law.9

Permitted Disclosure under PHIPA

PHIPA allows the disclosure of personal health information without patient consent under certain circumstances. Physicians, however, are not prohibited from seeking the patient’s consent. For this reason, the College advises physicians that, whenever possible, they should make every reasonable effort to obtain the patient’s consent before disclosing his or her information.

The following sections address a limited number of situations where disclosure of personal health information is permitted without consent under PHIPA.10

Disclosure for the provision of health care under exceptional circumstances

If the disclosure of personal health information is reasonably necessary for the provision of health care and it is not reasonably possible to obtain the patient’s consent in a timely manner, a physician may disclose the relevant information, unless the patient has expressly instructed the physician otherwise.

For example, this type of disclosure allows the physician to perform necessary medical services during emergency situations.

Disclosure related to risks

A physician may disclose personal health information about an individual if the physician believes, on reasonable grounds, that the disclosure is necessary to eliminate or reduce a significant risk of serious bodily harm to a person or group of persons. The disclosure may be made to police, and in some instances, to the intended victim(s).

Physicians are expected to use their best judgment in these situations; however, physicians are advised to contact the College’s Physician Advisory Service, their lawyer, the CMPA, or the Information and Privacy Commissioner of Ontario whenever they are uncertain whether the disclosure is appropriate. Physicians should also document all activities in the patient’s medical record, and when appropriate, advise the patient of their decision to disclose the relevant information.

Disclosure for the purpose of regulating the medical profession

Disclosure of personal health information to the College is permitted for the purposes of administering and enforcing the Regulated Health Professions Act, 1991 (RHPA). This includes disclosing personal health information for the purpose of carrying out the regulatory duties in the RHPA(i.e., Registrar’s Investigations and Quality Assurance peer assessments).

Required Disclosure

Physicians may be required by law, in a variety of circumstances, to disclose personal health information without the consent of the patient.

Mandatory Reports

Certain statutes have reporting provisions that may require the physician to provide information about a patient. Examples of legislation requiring mandatory reports include the Regulated Health Professions Act, 1991; the Highway Traffic Act; the Child and Family Services Act; the Health Protection and Promotion Act; the Aeronautics Act; the Coroners Act and the Health Professions Procedural Code (See College policy on Mandatory and Permissive Reporting).

Monitoring of Claims for Payment

In circumstances where the Ministry of Health and Long-Term Care is monitoring or verifying claims for payment for health care, or for goods used for health care that are funded wholly or in part by the Ministry, the physician must provide the patient’s personal health information to the Minister, upon his or her request.

Summonses, Subpoenas and Court Orders

In the course of litigation, physicians may be required by a summons, subpoena or a court order to disclose a patient’s personal health information and patient records. The physician should read the summons, subpoena or court order carefully and not do more than it requires. For example, a summons may require a physician to attend a court at a particular time and to take a specific patient chart. The summons does not authorize the physician to discuss the patient’s care with, or show the record to, anyone in advance of the court appearance.

Reports under the Workplace Safety and Insurance Act

Under the Workplace Safety and Insurance Act, a physician who is providing health care to a worker claiming benefits under the workplace’s insurance plan must promptly give the Workplace Safety and Insurance Board (WSIB) the relevant personal health information that the WSIBmay require or that the patient requests that the physician provide to the WSIB. PHIPA permits the physician to report the required information to the WSIBand/or the employer, without the patient’s consent.11 If, however, the physician takes the position that the patient ought to be aware that his or her personal health information is being provided to the WSIB and/or the employer, the physician ought to notify his or her patient of that fact.

Professional Expectations Regarding Disclosure

Physicians are expected to act in accordance with all legal requirements, but must also use their best judgment to practise medicine in a safe and humane manner.

Disclosure with respect to incapacity

When physicians have reasonable grounds to believe that another physician or health care professional is incapacitated,12 the College expects physicians to behave ethically and in the public interest by taking appropriate action.

Appropriate action may include, depending on the circumstances, contacting the Physician Health Program at the Ontario Medical Association, the Registrar of the CPSO or other relevant regulatory colleges, or the individual’s friends and family. Since this action will likely require physicians to disclose the individual’s personal health information, physicians are advised to exercise caution and ensure that they uphold their obligations under PHIPA.

Where disclosures are necessary to reduce or eliminate a significant risk of serious bodily harm to a person or a group of persons, or for the provision of care, physicians may be able to disclose the individual’s personal health information without contravening PHIPA. In addition, physicians may be permitted to disclose information to relatives or friends of the incapacitated individual in order to obtain consent for treatment.13

Physicians carry this ethical obligation to take action irrespective of whether there is a physician-patient relationship with the incapacitated physician or health care professional. Physicians may wish to contact their legal counsel or the CMPA for guidance in these situations.

Disclosure to a Family Member or Friend

Situations may arise where physicians are asked by a family member or friend about the condition of a patient. Patients are permitted to restrict the disclosure of such information. For this reason, physicians will be required to obtain express consent from the patient before they are able to disclose the patient’s personal health information. Where the patient is not capable to provide the required consent, physicians must seek consent from the patient’s substitute decision-maker.

The College, however, recognizes that there may be situations where it will not be possible to obtain consent from the patient or the substitute decision-maker. In this situation, the College advises physicians to exercise caution and to use their best judgment when providing information. Discussions with friends and family ought to be limited to basic information about the patient’s general state of health.

Other Topics Related to Disclosure

Disclosure to Custodial and/or Access Parents

There may be instances when a physician receives a request to disclose personal health information to a patient’s parents or a third party where the parents have separated or divorced. If the child-patient has the capacity to provide consent, the physician must first seek the consent of the patient before any disclosure is made.

In dealing with requests from parents to disclose information to the parent or a third party, physicians should be aware that, under provincial legislation, there are different rights for the custodial parent and the non-custodial/access parent. The law, a court order or the terms of a separation agreement may prevent one of the parents from making decisions with respect to the personal health information about their child. Physicians are advised to act with sensitivity and request a copy of the applicable separation agreement or court order prior to releasing any information.

When releasing a child’s medical record or disclosing the information in the record, physicians should exclude any reference or information pertaining to other family members and/or third parties. In addition, physicians are encouraged to keep copies of relevant agreements or court orders in the patient’s medical record.

Disclosure to Police

It is not mandatory for physicians to provide confidential material to the police in the absence of a legal obligation. At these times, the general rules regarding consent and disclosure apply, meaning that express consent, either from the patient directly, or the substitute decision-maker, will be required before the police are provided with personal health information.

When personal health information is disclosed to the police, physicians are encouraged to record the officer’s name and badge number, the request for information, the information provided, and the authority for the disclosure (e.g., consent, reporting obligation, search warrant or summons). A photocopy of any search warrant or summons should be included in the patient’s medical record. The police or Crown attorney will usually take the originals but leave the physician with copies of the record so that ongoing care can be given.

Proper information practices

Physicians have always been obligated to keep their patients’ personal health information confidential, however, the introduction of PHIPA has also imposed a legal obligation on physicians to maintain and comply with information practices that, among other things, keep their patients’ personal health information:

  • accurate, current and complete; and
  • protected against theft, loss or unauthorized use or disclosure.

If personal health information is stolen, lost or accessed by, or disclosed to an unauthorized person, patients must, subject to specific exceptions,14 be notified at the first reasonable opportunity.

Conversations with, or about, patients in the health care setting

As a matter of practising medicine, physicians are required to ask many questions and/or discuss personal health matters with patients, other physicians/health care professionals and/or office/hospital staff. For this reason, it is essential that physicians and all staff take every precaution to ensure that conversations regarding patient information are not inadvertently overheard by others. Extra sensitivity is required by physicians and staff when discussing patient matters, either on the telephone or in person within hearing distance of others. For example, physicians should be cautious if discussing matters of personal health with patients in emergency room areas, or if a conversation is taking place with staff close to a reception area.


Technology has provided physicians and patients alike with a more efficient way of maintaining and communicating personal health information. There are, however, several ways in which a physician using modern technology may inadvertently breach patient confidentiality, for example: wireless network connections can pose security problems; e-mails can be inadvertently sent to the wrong recipient; inappropriate readers may access computer files and erased hard drives may contain private information. The College encourages physicians to capitalize on the advantages that electronic record-keeping and other technological advances have to offer, however, it is always the responsibility of the physician to ensure that appropriate security provisions have been made.

The College strongly advises that physicians obtain patient consent to use electronic means for communicating personal health information. As part of obtaining consent, physicians must explain to patients the inherent risks of using this form of communication. As a way of recording the patient’s express consent, the CMPA has provided a written consent form that can be used whenever possible. Completed consent forms should be included in the patient’s medical record.

Voice messaging

Physicians may sometimes wish to communicate with patients by telephone; and should confirm and obtain consent to use this method of communication with patients.

On certain occasions, it may be necessary to leave a voice message on a machine or with a third party. Physicians should be aware that when leaving voice messages for patients, more than one person in a home or an office may access messages. For this reason, physicians are advised to exercise caution regarding the content of any messages left for patients. While it is acceptable for messages to contain the name and contact information of the physician or the physician’s office, the College advises that messages should not contain any personal health information of the patient, such as details about the patient’s medical condition, test results or other personal matters.

Professional Misconduct

Under the regulations to the Medicine Act, 1991, it is an act of professional misconduct for a physician to:

“[give] information concerning the condition of a patient or any services rendered to a patient to a person other than the patient or his or her authorized representative except with the consent of the patient or his or her authorized representative or as required by law.”15



1. S.O. 2004, c. 3 Sched. A. In force as of November 1, 2004.

2. The majority of physicians in Ontario have liability coverage with the CMPA. Any physician with liability coverage from another provider is advised to contact that provider if uncertainty arises regarding the confidentiality of patient information.

3. Please refer to section 4 of PHIPA, which sets out the exceptions to “personal health information.”

4. Refer to section heading ‘Professional Misconduct’ for direction.

5. In this policy, the provisions in PHIPA should be considered as they apply to physicians.

6. Under PHIPA, whether explicit or implicit, consent must: (i) be that of the individual; (ii) be knowledgeable; (iii) relate to the information at issue; and (iv) not be obtained through deception or coercion. Where applicable, the substitute decision-maker or authorized representative may provide consent on behalf of the individual.

7. The patient is not able to withhold or withdraw his or her consent when the disclosure of personal health information is required by law (See section on ‘Required Disclosure’).

8. PHIPA does not define “circle of care,” however, the term refers to those in the health care team who are involved in the care or treatment of a particular patient. For example, it describes health care practitioners, public or private hospitals, pharmacies, laboratories, ambulance services, community care access corporations. This definition of “circle of care” is supported by the: Ontario Hospital Association, Ontario Hospital eHealth Council, Ontario Medical Association; and the Office of the Information and Privacy Commissioner of Ontario.

9. This statement refers to the provisions in PHIPA where a physician is permitted or required to disclose personal health information without the patient’s consent.

10. This list is not exhaustive. For a complete list of permissible disclosures of personal health information, please refer to sections 38 – 50 of PHIPA.

11. Under section 43(1)(h), PHIPA, whereby a physician can disclose personal health information where permitted or required by law.

12. ‘Incapacitated’ as defined in section 1(1) of the Health Professions Procedural Code, Schedule 2 of the RHPA, 1991, S.O. 1991, c. 18 means that the member is suffering from a physical or mental condition or disorder that makes it desirable in the interest of the public that the member no longer be permitted to practise or that the member’s practice be restricted.

13. Further details of these permitted disclosures can be obtained by consulting PHIPA directly.

14. Exceptions include if the information is being held for research purposes as permitted under PHIPA or other prescribed exceptions under the Act.

15. Ontario Regulation 856/93, as amended (made under the Medicine Act, 1991) s. 1(1) paragraph 10.