When to disclose confidential information

In brief:

• Confidential information should only be disclosed to third parties if the strict legal test for requiring or permitting disclosure is met.
• If confidential information is disclosed, limit the information to that which strictly fulfills the mandatory reporting obligation.
• Members with questions regarding when it might be appropriate to disclose patient information should contact us for advice.

Duty of confidentiality

Confidentiality is fundamental to the doctor-patient relationship and ensures that patients are free to speak openly about their health concerns and medical history.

However, the duty of confidentiality is subject to exceptions in limited circumstances. These exceptions arise in two distinct contexts:

• When you are required by law to disclose the information – for example, when you have a statutory duty to report. In this case, you must disclose the information.
• When you are permitted by law to disclose the information – for example, when a privacy law exemption allows doctors to disclose personal health information without consent. In this case, you may lawfully disclose the information.

Duty to report

Laws or policies may obligate physicians to report confidential patient information to a third party, such as a government agency.

For example, each province and territory has legislation requiring physicians to report to child protection authorities when there is a child in need of protection, and to a medical officer of health with regard to certain communicable diseases.

In most jurisdictions, motor vehicle legislation requires physicians to report any patient who has a medical condition that may make it dangerous to drive.¹ As well, many Colleges require physicians to report incapacitated or incompetent colleagues who reasonably pose a risk to patient safety, even if those colleagues are patients. Physicians might also be required to disclose confidential patient information through a court order.

Failing to disclose information when required

When required by law to disclose confidential patient information, you will not generally be faulted for breaching confidentiality if you make a report in good faith. However, if you fail to disclose information when required to do so, you may be subject to a civil action, College complaint, or statutory offence. For example, some courts have held physicians liable for failing to report patients who were unfit to drive and subsequently caused harm to others.

Physicians should be aware of their mandatory reporting obligations and comply with them. In making a report, take care to disclose only the information required to fulfill the reporting obligation.

Is there a “duty to warn”?

Canadian courts have not expressly imposed a mandatory “duty to warn” on physicians to alert third parties of a danger posed by patients. However, the Supreme Court of Canada has held that a physician is permitted to warn police when aware of a serious, imminent danger posed by a patient to an identifiable person or group against whom the patient had made specific threats. The Court, however, expressly refused to address whether physicians had a mandatory “duty to warn” in the context of the doctor-patient relationship.

Permission to disclose confidential patient information for the purpose of warning a third party is recognized in all Canadian privacy laws. Privacy legislation generally allows doctors to disclose personal health information without consent to avert an imminent or significant risk of harm to an identifiable person or group.

In Québec, legislation also permits physicians to notify the police if they have reasonable grounds to believe that a person is behaving in such a way as to compromise the safety of that person or another person by the use of a firearm.

Medico-legal risk

Physicians may be faced with various situations that warrant disclosing patient information to prevent harm. Examples include a patient who utters threats against another person, or intends to drive home alone from the hospital impaired. In these circumstances, physicians should:

• discuss with the patient reasonable steps to reduce the immediate risk (e.g. counselling patients, arranging transportation, etc.)
• consider whether they have a mandatory duty to report (e.g. under public health, child protection, or motor vehicle legislation)
• consider whether it is reasonable to warn others (e.g. police) of the threat to a third party or the patient themselves.

Risk management considerations

• Familiarize yourself with applicable mandatory reporting obligations. Limit the information disclosed to that which strictly fulfills the mandatory reporting obligation.
• When you have concerns about a potential risk of harm to a patient or third party, consider whether the circumstances meet the strict criteria giving rise to the permissive authority to warn.
• Be objective and accurate when disclosing patient information to third parties.
• When appropriate, consider informing patients of your intention to disclose or report their personal health information to a third party, and the information that will be shared. This is not necessary if doing so might pose a risk to yourself or others.
• Document in the patient’s record any discussion with the patient, the information disclosed to the third party, and the facts giving rise to the reporting obligation or the belief that there is an imminent or significant risk of harm or death to an identifiable person or group.

Reference

1. 1. 
   In some jurisdictions (e.g., Alberta, Québec, and Nova Scotia), reporting an unfit driver is at the physician’s discretion.

DISCLAIMER: The information contained in this learning material is for general educational purposes only and is not intended to provide specific professional medical or legal advice, nor to constitute a "standard of care" for Canadian healthcare professionals. The use of CMPA learning resources is subject to the foregoing as well as the CMPA's Terms of Use.