■ Duties and responsibilities:

Expectations of physicians in practice

Using electronic communications, protecting privacy

Originally published October 2013; Revised September 2021

The following article applies in normal circumstances. For more information specific to the COVID-19 pandemic, see the CMPA COVID-19 Hub.

Technology is changing communication between doctors and patients, and between physicians and other health care providers. While electronic communication can improve patient care and enhance patients’ engagement in their care, it can also present unique challenges to patient privacy and confidentiality.

The CMPA’s experience suggests that, at present, physicians are most interested in using email and instant messaging (texting), videoconferencing, patient portals, and various social media applications. All these electronic communication tools can be accessed from a number of devices, including smartphones and tablets.

To help members address some of the medical-legal risks with using electronic communications (eCommunications) in their practice, the CMPA has developed an electronic communications consent template [PDF, DOC]. This template, or form, is intended for physicians to use as the basis for an informed discussion with patients about the use of eCommunication tools. It should be modified by physicians to suit the particular circumstances of their practice, and the applicable medical regulatory authority (College) requirements and privacy legislation in their jurisdiction.

Physicians are aware of their general obligations to protect patient information. If they are considering using electronic communication tools with patients, they must also be aware of the risks to patient privacy that are inherent in the use of the devices and applications. The risks related to each are not necessarily the same. In addition, while patients need to be informed of the benefits of electronic communications, they must also be informed of the potential risks. Doctors should have an informed consent discussion with patients, and if electronic communication will be used, patients’ consent should be recorded in their records.

The CMPA’s electronic communications consent template [PDF, DOC] is offered primarily as a basis for an informed consent discussion, but may also help in developing an appropriate form for documenting consent. It is worth repeating that members should be aware that using the eCommunications consent form is not a substitute for a proper and informed discussion with patients about the risks associated with the use of the technology. It also does not relieve physicians of their obligation to fulfill all applicable jurisdictional privacy obligations.

Communication via email and messaging

Despite their pervasiveness and convenience, email and texting are often the least secure communication tools. Imagine, for a moment, using standard email software to send personal medical information to a patient — and getting the email address wrong. Worse — the email does not bounce back, but rather appears in the mailbox of an unintended recipient. The risks of interception or errors in sending email, texts, or instant messages can be significant. For these reasons, some privacy commissioners have indicated that using unencrypted email and texting with personal health information should be avoided, and in the case of Alberta appropriate security is mandated by the Health Information Act.

Despite any disclaimer physicians may include in the message, they remain responsible for protecting patient health information and preventing unauthorized access. Privacy legislation generally requires that custodians adopt safeguards to protect the personal health information under their control. Privacy regulators generally agree that the use of encryption software to protect electronic messages is a reasonable safeguard under the circumstances. There are a number of enterprise solutions that can provide encryption, including many patient portals. The protection options that are available outside the institutional environment can be complex and expensive, however more encryption options and applications are becoming available for use on devices such as smartphones.

Physicians considering using unsecured or unencrypted email or messaging should do so only for information that does not include identifiable personal health information.

Patient portals — Active pathways for two-way communication

Patient portals have been used in a limited way in community health practice since the 1990s.1 In recent years they have evolved into popular, secure interactive tools that can greatly enhance communication between physicians and patients, and help patients better manage their health.

There are multiple communication functions of web-based portals. For example, portals can house patient profiles and medical records, contain patient education documents, generate alerts and reminders for prescriptions and medication management, make the booking of appointments more efficient, and enable quick review of lab reports and follow-up messages to patients.

A growing number of physicians are taking advantage of this technology, particularly in response to patients’ demand for accessibility to everyday technologies that increase convenience and access to information. However, physicians using patient portals should clearly understand the benefits and limits of the technology and what steps should be taken to protect personal health information. While some of the functions of portals may appear innocuous, even downloading patient education materials could communicate confidential information about an individual's health status.

Patient portals need to be secure and accessible only by those who are authorized. The chosen platform must have adequate security systems to protect patient information and private online conversations, and to meet the requirements of applicable privacy legislation. Because the technical and security issues with portals can be complex, physicians and institutions should seek appropriate advice.

Patients also need to be informed in advance about how a portal will be used for online communication. They need to be aware that portals should never be used for urgent messages or time-sensitive health issues. Physicians should explain what information is available and what will be shared through the portal. As well, they should also explain that not all information should be shared online and that face-to-face consultations may be required to avoid the possibility that patients may misinterpret results or to ensure appropriate follow-up care.

This discussion with the patient should be noted in the patient record. Consent forms [PDF, DOC] should set out the terms of use for the portal and the patient's consent to its use for those specific purposes. As well, a terms of use agreement [PDF] should be submitted online before the patient is granted a password and access to the portal. These agreements outline the terms and conditions under which patients can use the portal.

Social media

Physicians need to keep privacy and confidentiality in mind when using social media such as Facebook, YouTube, LinkedIn, or Twitter. These networks can be valuable for sharing information for health promotion and for educational purposes. However, physicians should not communicate identifiable patient health information using social media. While some of these networks appear to mimic private one-on-one conversations through a chat function or direct messaging, content communicated via social media is unprotected and publicly accessible. Despite rigorous use of privacy settings, information shared on social media sites should be considered public forever.

Physicians should review guidelines provided by their College on the use of social media. Some Colleges provide detailed guidelines for sharing information on blogs, discussion forums, and maintaining professionalism.

Remember that social media platforms are public channels and can be considered equivalent to the front page of any newspaper or home page of any website.


Videoconferencing is increasingly being used to communicate with and deliver medical services to patients. There are various platforms used as telehealth tools, especially to provide clinical care directly to patients who live in remote communities or who have limited access to services outside their home. Physicians should determine if the platform they are using meets the privacy requirements in their jurisdiction.

Physicians should be aware of the limitations of the technology and determine whether it is appropriate to use in each specific circumstance. If the standard of care cannot be met using videoconferencing or patient privacy cannot be adequately protected, then an in-person consultation should be considered. Physicians should also be aware of and follow their College’s position on the use of videoconferencing.

Reducing risk in eCommunications

Physicians who communicate personal health information electronically need to keep in mind that they are governed by the same legal and professional standards that would apply in other professional settings. For example, physicians should carefully consider how they will document electronic communications in the patient’s medical record.

Further, physicians using electronic communication with patients need to be aware of and follow the privacy legislation and College requirements that apply to their practice and jurisdiction.

Physicians should establish policies and procedures for using electronic communications in their practice. Employees should be informed of the risks with each form of electronic communication and trained to follow the policies and procedures.

Finally, physicians should consider what security measures and procedures they will adopt to reduce the risk of privacy breaches. This includes using appropriate protection and privacy settings. A patient's informed consent to eCommunications should be obtained and documented, either through a notation in the patient's medical record or by a signed consent form or terms of use agreement.

Even if a consent form [PDF, DOC] or terms of use agreement [PDF] is signed, physicians should still document in the patient’s record the discussion with the patient about the risks and limitations of any electronic communication tool(s) that will be used. Physicians need to keep abreast of advances and be informed about privacy and security issues related to their jurisdiction and practice environment.


  1. Coach: Canada's Health Informatics Association. Privacy & Security for Patient Portals: 2012 Guidelines for the Protection of Health Information, Special Edition [Internet].Toronto: Coach; 2012 [cited 2016 Jan 15]. 111 p. Available from: http://www.ehealthontario.on.ca/images/uploads/pages/documents/Privacy-Security-for-Patient-Portals.pdf

DISCLAIMER: The information contained in this learning material is for general educational purposes only and is not intended to provide specific professional medical or legal advice, nor to constitute a "standard of care" for Canadian healthcare professionals. The use of CMPA learning resources is subject to the foregoing as well as the CMPA's Terms of Use.