Protecting patients’ personal health information (PHI) is fundamental to providing high quality patient care. To establish and preserve trust in the physician-patient relationship, patients must be confident that their PHI is protected. This Advice document is intended to help physicians interpret and understand the legal and professional obligations to protect patients’ PHI. If you are uncertain about how to discharge any of these obligations in specific circumstances, consult the Canadian Medical Protective Association (CMPA), your legal counsel, or the Information and Privacy Commissioner (IPC).

General Principles

What is the difference between confidentiality and privacy?

Patients’ PHI is protected when it remains confidential and private. Physicians are generally familiar with the duty of confidentiality, which prohibits them from sharing information about a patient without authorization. In contrast, the duty of privacy is broader and prohibits physicians from accessing PHI where they have no authority to do so. At its essence, it is the difference between “don’t share” and “don’t even look!”¹

These principles are reflected in the Personal Health Information Protection Act, 2004 (PHIPA), which sets out a framework for when health information custodians and their agents, including physicians, are authorized to collect, use, and disclose PHI. Generally speaking, physicians may only access PHI with patient consent and on a “need to know” basis, unless they are otherwise permitted or required to do so by law.

What is “snooping”?

Snooping is when a health care provider accesses a patient’s PHI without authorization – in other words, when they have no “need to know” as part of their duties, and are not otherwise permitted or required by law to access the PHI.

Some health care providers mistakenly believe that they are permitted to review a patient’s PHI so long as they maintain the patient’s confidentiality by not sharing it with anyone else. In reality, snooping is a breach of patient privacy; physicians with technical sign-in ability to an electronic records system do not have authority to access all records in the system and may be snooping if they view a patient’s records where they do not need that information to provide care.

PHIPA refers to “health information custodians” and “agents”. What are these?

A “health information custodian” (“custodian”) is a person or organization who, as a result of their power, duties, or work, has custody or control of PHI. This includes health care organizations such as hospitals, pharmacies, and laboratories, as well as some individual physicians (such as owners of a clinic and physicians working as a sole practitioner in their own practice).²

In contrast, an “agent” is a person who is authorized by a custodian to perform certain activities on its behalf regarding PHI. Generally speaking, this includes physicians practising in hospitals and certain medical clinics, as well as administrative staff in a medical clinic or hospital. Custodians are ultimately responsible for PHI, as well as the actions of their agents.

While PHIPA’s framework is complex, custodians and agents are ultimately obliged to meet the same general expectations regarding the collection, use, and disclosure of PHI. The expectations in the policy therefore apply to all physicians, regardless of whether they are a custodian or an agent, as does the guidance in this Advice document unless noted otherwise.

However, if you are a custodian, you should be aware of additional PHIPA rules that apply specifically to custodians, such as those regulating the retention, transfer, and destruction of records. If you are a custodian, you are advised to consult PHIPA and the CPSO’s Medical Records Management policy for further information regarding these obligations.

Who is found within the “circle of care”?

The term “circle of care” is not found in PHIPA, but is commonly used to determine whether a physician can rely upon implied consent to collect, access, and share PHI. The circle of care is made up of health care providers who need access to the patient’s PHI in order to provide the patient with health care.

• In an office setting, the circle of care may include the physician, a nurse, a specialist or other health care practitioner referred by the physician, any other health care practitioner selected by the patient (such as a pharmacist or physiotherapist), and administrative staff who need PHI to carry out their duties (for example, scheduling appointments).
• In a hospital setting, the circle of care may include the attending physician and the health care team (residents, nurses, clinical clerks), administrative staff who need PHI to carry out their duties, and people outside the hospital who will be providing health care upon the patient’s discharge.

The circle of care does not include:

• Health care providers who are not part of the direct or follow-up treatment of a patient, as these individuals do not need the PHI to provide health care to the patient; and
• Non-health care providers, like family, friends, the police, an insurance company, and the patient’s employer.

For further information, see the IPC documents Frequently Asked Questions: Personal Health Information Protection Act and Circle of Care: Sharing Personal Health Information for Health-Care Purposes.

When do I enter and exit the circle of care?

PHIPA does not address timing with respect to when a physician formally enters or exits the circle of care. Determining if you are within the circle of case will be an assessment based on the role you are playing in the patient’s care.

As an example, if you have treated the patient and are continuing to provide follow-up care, you are still within the circle of care and may assume you have implied consent to access their PHI to provide health care. However, a physician does not necessarily continue to be in a patient’s circle of care indefinitely. If you are no longer directly providing health care and/or follow-up treatment, you may no longer have the right to rely on implied consent to access the patient’s PHI.

When in doubt, check with your custodian (e.g., hospital), legal counsel, and/or the CMPA to find out if you are permitted to access the patient’s PHI.

How much information can I leave in a voicemail?

While physicians always have an obligation to maintain patient confidentiality, regardless of the mode of communication (i.e., phone, letter mail, email, etc.), not all information is equally sensitive. Moreover, when scheduling appointments, it is often essential to the provision of care that this information be communicated quickly and effectively.

To that end, the College is not prescriptive about how physicians should communicate appointment information with patients. However, it would generally be reasonable to leave voicemails to share basic appointment information, so long as additional, sensitive health information is not included. What is reasonable is different in each situation and you will need to exercise some judgment in considering factors like whether the voicemail will be accessible to people other than the patient. As a best practice, consider regularly reviewing with patients their preferred mode of communication, including whether their voicemail is private or shared.

Can I access a patient’s PHI for education or quality improvement purposes?

It is common for physicians to want to access a patient’s PHI in order to understand and assess the outcome of their treatment decisions, and PHIPA permits this kind of activity in certain circumstances for physicians who act as agents.

Under PHIPA, a custodian may permit its agents to use PHI without consent in some limited ways, including:

• education, such as where cases are reviewed with trainees and/or presented during rounds (though PHI should not be used where other non-identifying information will meet the purpose); and
• risk management, error management, and quality improvement, such as where patient outcomes are reviewed to evaluate the effectiveness of personal practice or programs.

If you are an agent, your custodian may permit you to access PHI for these purposes, subject to any restrictions or conditions the custodian may have imposed. If your custodian has not expressly permitted you to access PHI for these purposes, you may not do so. You should therefore exercise caution and ensure you have proper authority to access a patient’s PHI in these situations – when in doubt, check with your custodian to find out if you are permitted to do so.³

If you are a custodian, PHIPA also permits you to disclose a patient’s PHI to certain other custodians where:

• you and the other custodian have both provided health care to the same patient; and
• you are disclosing the PHI to improve or maintain the quality of care provided to that patient or to other patients receiving similar health care.

These rules permit custodians to discuss with each other the treatment and outcomes of care they have provided to a patient. For further information you may refer to s. 39(1)(d) of PHIPA.

In any of the above circumstances, keep in mind that accessing information about a patient’s condition or outcome simply out of interest is never permitted under PHIPA.

What do I do if a patient requests that their PHI be placed in a lockbox?

Where a patient asks for restrictions on who can access their PHI, consider speaking with them to determine if there are specific concerns about their care or underlying issues that need to be addressed.⁴ In accordance with the policy, you must have a conversation with them about the risks, limitations, and implications of creating a lockbox on the patient’s ability to receive health care. This may include notifying the patient that the existence of the lockbox may have to be disclosed in the future to a physician to whom you refer the patient. The purpose of this discussion is to promote clear communication between the patient and physician, and may also provide an opportunity for the patient to reconsider the existence of the lockbox for the purpose of the treatment.

Unique considerations may apply in an emergency. PHIPA is not intended to prevent the sharing of vital information in critical or emergency situations affecting individuals or public health and safety.⁵ In particular, as noted below, PHI may be disclosed without the patient’s consent in situations where the disclosure is necessary for eliminating or reducing a significant risk of serious bodily harm to a person or group of persons, including the patient.

Permitted and Required Disclosures

In what situations am I permitted to disclose PHI without consent?

In some circumstances, PHIPA permits physicians to disclose PHI without consent. In some of these cases – including a), b), c), e), and f) below – disclosure is only permitted at the discretion of the custodian. If you are acting as an agent, check with your custodian to see whether the disclosure is permitted.

1. Assisting in a police investigation. While permitted under PHIPA, you are not required to disclose PHI to police in the absence of a court order. The CMPA generally advises physicians to refrain from doing so unless the patient has consented or the disclosure is otherwise required by law. For further guidance, consult the CMPA’s Physician interactions with police document, with legal counsel, and/or the CMPA.
2. Eliminating or reducing significant risk of serious harm to a person or group of persons. It is good practice to document all activities in this respect in the patient’s medical record.
3. Facilitating health care. If the disclosure is reasonably necessary for the provision of health care and it is not reasonably possible to obtain the patient’s consent in a timely manner, you may disclose relevant information to other physicians and certain other health professionals unless the patient has expressly instructed you not to.
4. Reporting physician (or other health care provider) incapacity and incompetence, where this is appropriate in the circumstances.
5. Regulating the medical profession. You are permitted to disclose PHI to the CPSO for the purpose of administering and enforcing the RHPA, 1991, including carrying out regulatory duties such as investigations and assessments.
6. A proceeding or contemplated proceeding in which you or your hospital is, or is expected to be, a party or witness.

This list is not exhaustive; please refer to sections 38-50 of PHIPA and the CPSO’s Mandatory and Permissive Reporting policy for further information.

Where you plan to make (or have made) a disclosure in any of these circumstances, consider whether it would be appropriate to speak with the patient about the reason for the disclosure and what information was disclosed in order to maintain open communication.

In what situations am I required to disclose PHI without consent?

In some circumstances, you are required by the law to disclose a patient’s PHI, regardless of whether the patient consents. While not an exhaustive list, the following examples provide an overview of the circumstances you might encounter most frequently:

• Mandatory reports listed in the CPSO’s policy on Mandatory and Permissive Reporting, including reports of suspected impaired driving ability under the Highway Traffic Act and reports to the Ontario Coroner under the Vital Statistics Act and the Coroners Act.
• Disclosures required by the Ministry of Health in order to monitor or verify claims for payment for health care, or for goods used for health care that are funded by the Ministry.
• Reports required by the Workplace Safety and Insurance Board in circumstances where health care is being provided to a worker claiming benefits under their workplace insurance plan.
• Critical incident reports, as required by the “Hospital Management” regulation⁶ under the Public Hospitals Act.
• Search warrants (which grant the police broad authority to search for and seize evidence, including records) and court summons (which may require you to attend court with specific documents or materials). In these cases, consult legal counsel and/or the CMPA, including their resources on physician interactions with police.

Where you plan to make (or have made) a disclosure in any of these circumstances, consider whether it would be appropriate to speak with the patient about the reason for the disclosure and what information was disclosed in order to maintain open communication.

Where can I find further information about privacy breaches?

A “privacy breach” refers to a theft, loss, or unauthorized access, use, or disclosure of PHI that contravenes PHIPA. Custodians are responsible for reporting privacy breaches to the affected individuals, the IPC, and/or the CPSO in specific instances. Custodians are also required to report certain information annually to the IPC. For information, see the CPSO’s Mandatory and Permissive Reporting policy and the IPC documents Responding to a Health Privacy Breach: Guidelines for the Health Sector, Reporting a Privacy Breach to the IPC, and Annual Reporting of Privacy Breach Statistics to the Commissioner.

Information from Third Parties: Friends, Family, and Research

This section deals with requests for patient information from third parties. In all of the following scenarios, the general rules under PHIPA apply: unless otherwise permitted or required by law, PHI can only be shared with third parties with the express consent of the patient.

What do I do if a friend or family member, who is not the patient’s SDM, requests access to the patient’s medical information or records?

It is not uncommon for physicians to be asked by a family member or friend about the condition of a patient or for information about the patient’s health. These situations can be challenging to manage, as the circumstances under which PHIPA allows you to do so are limited.

In the context of facilities that provide health care (e.g. hospitals or psychiatric facilities), you may disclose the following PHI about a patient or resident of the facility if the patient or resident is offered, at the first reasonable opportunity following admission, the ability to object to the disclosure:

• the fact that the individual is a patient or resident in the facility;
• the individual’s general health status described as critical, poor, fair, stable or satisfactory, or in similar terms; and
• the location of the individual in the facility. 

In the context of psychiatric facilities, the Mental Health Act also allows PHI about a patient to be collected, used, or disclosed (with or without the patient’s consent) for, among other reasons, examining, assessing, observing or detaining the patient in accordance with the Act.

PHIPA also permits you to disclose PHI where the disclosure is required to contact a relative, friend, or potential SDM if the patient is injured, incapacitated, or ill and unable to give consent personally.

When managing a request for information from family or friends, use your professional judgment and limit disclosure about the patient’s state of health unless one of the above circumstances applies.

How do I manage a request for PHI from a family member where the patient has died?

PHIPA allows you to disclose PHI without consent in limited circumstances where the patient has died, including where the PHI is required to identify the patient, advise of the patient’s death and (where appropriate) the circumstances of death, and provide information that relates to the patient where it is needed by a spouse, partner, sibling, or child to make health care decisions.  

In most other situations, consent will be required before you can disclose PHI about a deceased patient. Consent will need to be obtained from the deceased’s estate trustee (the executor) or, if there is no trustee, the person who has assumed responsibility for the administration of the estate. A person who was the power of attorney while the patient was alive will no longer have authority to provide consent, unless that same person is the estate trustee or administrator. Consider requesting confirmation of who the estate trustee is, such as by asking for a copy of the will or a letter from the patient’s or family lawyer. If there is no trustee, consider asking for a lawyer’s letter advising who has assumed responsibility for administration of the estate.

What do I do if a child patient’s parent or a third party requests access to the patient’s PHI?

There may be instances where you are asked to disclose PHI to a patient’s parents or a third party, like a lawyer or mediator, including in situations where a child patient’s parents have separated or divorced. In all cases, you must obtain consent directly from the child patient where they have capacity to make the decision, even if they are accompanied by a parent or guardian. Physicians can rely on a presumption that individuals, regardless of age, are capable of consenting to the collection, use, or disclosure of PHI unless there are reasonable grounds to believe otherwise.

In cases where a capable patient is under the age of 16 and the information in question does not relate to a treatment decision⁷ the patient has made, PHIPA allows parents to also consent. Even here, however, the patient’s decision will govern over a conflicting decision of their parent.

When seeking consent from a parent, it is important to know that parents with only a right of access to the child (as opposed to custody) are not permitted by PHIPA to provide consent. A family court order or a separation agreement may specify who has custody of and access to the child, and therefore who may make decisions about the child’s PHI. Consider requesting a copy of the applicable court order or separation agreement prior to releasing any information and keeping it in the patient’s medical record.

How do I manage a request for PHI in the context of couple, family, or group therapy?

Where therapy is being provided in a group setting, the consent obtained from the patients will generally set out how their PHI will be shared amongst the therapy participants. However, special considerations may apply where PHI is recorded as part of an assessment of an individual patient within a group therapy context, or where a patient receives a combination of individual and group therapy. Be mindful that the patient may not have consented to sharing this specific PHI with the group and that you may need to protect it accordingly.

Where a third party (e.g. a mediator, lawyer, or the court) requests records relating to couple, family, or group therapy, the general PHIPA rule applies: you may not disclose PHI without patient consent unless permitted or required to do so by law. In a therapy setting involving more than one patient, consent may be required from all the patients involved in the therapy, and the consent will need to be specific to the material requested.⁸

Can I use PHI for research purposes?

Physicians sometimes undertake research using their own patients as participants. In other cases, they are requested by industry to identify eligible patients or to release general patient data for research that will be conducted by third party researchers.

PHI must only be used or disclosed for research purposes with patient consent or as permitted by law – that is, where the research ethics board that has approved the research has concluded that it is impractical to obtain patient consent and proper safeguards have been put in place.

Where PHI will be used or disclosed (either with consent or as permitted by PHIPA), you are reminded to only use or disclose as little PHI as possible to meet the research needs and to de-identify the PHI whenever possible.

What are my obligations as an Independent Medical Examiner (IME)?

An IME is a physician who provides a third party report about an individual with whom the physician does not have a treating relationship. These reports are prepared for a third party process (e.g. a legal proceeding), instead of for a health care purpose. The provisions of PHIPA therefore do not apply in this context; instead, the federal Personal Information Protection and Electronic Documents Act will apply to the collection, use, and disclosure of personal information for this purpose. Given that different rules govern the preparation of third party reports and the conduct of a medical expert, please see the CPSO’s Third Party Reports and Medical Expert: Reports and Testimony policies for further information.

Technology and e-Communication

What are the benefits and risks of e-communication?

Technology has provided physicians and patients alike with a more efficient way of maintaining and communicating PHI. The CPSO recognizes and encourages physicians to capitalize on the advantages that electronic record-keeping and e-communications have to offer.

At the same time, one of the major risks of using modern technology to communicate PHI is that the PHI will be inadvertently disclosed to someone who should not have it. This can happen in a variety of ways:

• Wifi networks and telemedicine communications can be unsecure (particularly free wifi networks in public places);
• Emails can be sent to the wrong recipient or otherwise intercepted;
• Unauthorized readers can access computer files;
• Mobile devices can be lost or stolen; and
• Erased hard drives or USBs can contain private information.

Ultimately, e-communication may be best suited for minor tasks, such as scheduling appointments and appointment reminders, and not for urgent or time-sensitive health issues.

What are the rules around video surveillance of patients and premises?

The highest security precautions need to be taken to protect patient privacy where video surveillance is used in a health care setting. While the most common use of this activity is for building security, physicians need to be aware that highly sensitive PHI may be collected in the process.

The IPC provides guidance for health care providers who employ video surveillance. For further information, see the IPC’s Fact Sheet on Wireless Communication Technologies: Video Surveillance Systems and the blog post Cameras in Doctors’ Exam Rooms? Not in Ontario.

Can a patient record their appointment with me? Can they take a picture of their chart?

It is becoming increasingly common for patients to want to record their medical appointments via audio, video, or photography. In many cases, these recordings can benefit patients by helping them understand and remember the information they are being provided. However, recordings also have the potential to raise broader issues, including patients recording in public areas (such as waiting rooms) and physicians being recorded without their knowledge.

The CMPA provides guidance to physicians to manage these situations. For further information, see the CMPA’s document Smartphone recordings by patients: Be prepared, it’s happening.

What is encryption and what kinds of e-communication are encrypted?

For further guidance, consider seeking advice from an expert in the area of encryption and technological security. You may also consult the resources available through OntarioMD's privacy and security resources and training modules, the IPC documents Communicating Personal Health Information by Email and Fact Sheet: Encrypting Personal Health Information on Mobile Devices, and Order HO-004 (2007), which sets out the IPC’s encryption standard for mobile devices.

What do I do if a patient sends me an unsolicited email?

With contact information and email addresses becoming readily accessible online, it is also becoming more common for physicians to receive unpromoted or unsolicited emails from patients. In managing these communications, and assuming that the patient is using unencrypted technology, the policy requires physicians to consider whether it is reasonable to communicate with patients through unencrypted e-communication, taking into account the factors set out in provision 15.a.

Where you determine that it is reasonable to use unencrypted e-communication, you must obtain and document the patient’s express consent, which requires that you inform them of the information set out in provision 15.c. It is not sufficient to rely on implied consent based on the fact that the patient initiated the e-communication, since the patient may not be (fully) informed of the risks of communication PHI over unsecure email. Where you determine in the circumstances that it is not reasonable to communicate through unencrypted e-communication, consider suggesting that the patient use a more secure alternative method of communication.

Endnotes

^1. Kate Dewhirst, “New snooping case for health privacy – Decision 74 of the IPC released,” September 5, 2018.

^2. This list is non-exhaustive; a full legislative definition, along with certain exceptions, is found s. 3 of PHIPA.

^3. PHI viewed through the province’s Electronic Health Records Services, such as ConnectingOntario ClinicalViewer, may be subject to additional restrictions on use and disclosure. For further information regarding the appropriate use of ConnectingOntario ClinicalViewer, see the resources available through Ontario Health.

^4. CMPA, Did you know? Patients can restrict access to their health information, November 2017.

5. IPC, Frequently Asked Questions: Personal Health Information Protection Act, pp. 29-30.

^6. R.R.O. 1990, Reg. 965.

^7. This includes “treatment” as defined in accordance with the HCCA and counselling provided under the Child, Youth, and Family Services Act, 2017, S.O. 2017, c. 14, Sched. 1.

^8. Section 52(3) of PHIPA also states that where a record is not dedicated primarily to PHI about the person requesting access to it, they have a right of access only to the PHI in the record that can “reasonably” be separated from the rest of record.