Duties and responsibilities
When to disclose confidential information
Originally published March 2015
Physicians often face situations where their duty to keep patients’ information confidential conflicts with a statutory duty or a concern for public safety. These issues can be challenging to resolve and can expose physicians to medico-legal risk if not carefully managed.
Duty of confidentiality
Physicians’ duty to maintain patient confidentiality is fundamental to the therapeutic relationship. It ensures that patients feel free to speak openly with their doctor about their health concerns and medical history, which in turn improves their treatment outcomes.
The duty of confidentiality is not only an ethical obligation, but also a legal one. However, it is not absolute and is subject to exceptions in limited circumstances.
The exceptions to a physician’s obligations to protect confidential patient information can arise in two distinct contexts:
- when doctors are required by law to disclose the information, or
- when the doctors are permitted by law to disclose the information
In the first case physicians must disclose the medical information (e.g. doctors have a statutory duty to report); in the second, physicians may lawfully disclose the information (e.g. privacy legislation exceptions that permit doctors to disclose personal health information without consent).
Duty to report
Physicians may be obligated by some legislation, policies, or by-laws to report confidential patient information to a third party, such as a government body. This mandatory obligation is generally referred to as a “duty to report.”
For example, each province and territory has legislation requiring that physicians report to child welfare authorities a child in need of protection, or report to the medical officer of health patients with certain communicable diseases. In some jurisdictions, motor vehicle legislation requires physicians to report any patient who has a medical condition that may make it dangerous to drive.1 As well, many regulatory authorities (Colleges) require members to report incapacitated or incompetent colleagues who reasonably pose a risk to patient safety, even if those colleagues are patients. Physicians might also be required to disclose confidential patient information through an Order issued by a court.
The medico-legal risks
When required by law to disclose confidential patient information, physicians will not generally be faulted for breaching confidentiality if they make their report in good faith. The legislation typically protects physicians from liability for reports made in good faith.
If physicians fail to disclose information when required to do so by law, they may be accused of professional misconduct. For example, some courts in Ontario have held physicians liable for failing to report patients who were unfit to drive.2 It has been held that the duty to report unfit drivers in Ontario is mandatory and without exception, even if a physician is reassured by the patient that he or she would not drive and even if the physician was aware that the patient has already been reported.
Physicians should be aware of their mandatory reporting obligations and comply with them. In making a report, care should be taken to do so in good faith, and report only the information required and only in the specified circumstances.
Is there a “duty to warn”?
Canadian courts have not expressly imposed a mandatory “duty to warn” on physicians to alert third parties of a danger posed by patients. However, the Supreme Court of Canada has held that a physician was permitted to warn police when aware of the serious, imminent danger posed by a patient to an identifiable group against whom the patient had made specific threats.3
The Supreme Court recognized that physicians may disclose confidential patient information in the limited and exceptional circumstances in which they have reason to believe there is an imminent risk of serious bodily harm or death to an identifiable person or group. The Court, however, expressly refused to address whether physicians had a mandatory “duty to warn” in the context of the doctor-patient relationship.
The permission to disclose confidential patient information for the purpose of warning a third party is also recognized in privacy legislation. Privacy legislation generally allows doctors to disclose an individual’s personal health information without consent to avert an imminent risk of serious bodily harm to an identifiable person or group.
In Québec, legislation permits physicians to notify the police if they have “reasonable grounds to believe that a person is behaving in such a way as to compromise the safety of that person or another person by the use of a firearm.”4 Physicians generally may only provide the information that is required to facilitate a police intervention, but that can include confidential patient information.
Policies or guidelines
The CMA’s Code of Ethics states that a physician may disclose a patient’s personal health information to a third party without consent where “the maintenance of confidentiality would result in a significant risk of substantial harm to others or, in the case of incompetent patients, to the patients themselves.”5
Many Colleges have echoed this principle in policies and guidelines. Physicians should familiarize themselves with the relevant rules of their regulatory body.
Physicians may be faced with a patient who utters threats against another person, refuses to disclose seropositive status to sexual partners, or intends to drive home alone from the hospital impaired. In these circumstances, physicians should consider whether they:
- should discuss with the patient reasonable steps to reduce the immediate risk (e.g. counselling patients, offering to assist patients in speaking to partners, arranging transportation, etc.)
- have a mandatory duty to report (e.g. under public health, child protection, or motor vehicle legislation)
- are permitted to warn others (e.g. police) of the threat to a third party
Ask the CMPA
Physicians are encouraged to seek advice from the CMPA as to the appropriateness and scope of any disclosure of confidential patient information to a third party. Confidential information should only be disclosed to third parties if the strict legal test for requiring or permitting the disclosure is met. If any confidential information is to be disclosed, it should generally be limited to the minimum information necessary to protect the safety of the patient or the third party.
Risk management considerations
- Familiarize yourself with applicable mandatory reporting obligations. Limit the information disclosed to that which strictly fulfills the mandatory reporting obligation.
- When you have concerns about a potential threat to a patient or third party, consider whether the circumstances meet the strict criteria giving rise to the discretion to warn.
- Be objective and accurate when disclosing information to third parties.
- When appropriate, consider informing patients of your intention to disclose or report their personal health information to a third party in this context, and the information that will be shared. This is not necessary if you consider that doing so might pose a risk to yourself or others.
- Document in the patient’s record any discussion with the patient, the information disclosed to the third party, and the facts giving rise to the reporting obligation or the belief that there is an imminent risk of serious bodily harm or death to an identifiable person or group.
- Members with questions on their duty to keep patient information confidential should not hesitate to contact the CMPA for more information and advice.
- In some jurisdictions (e.g. Alberta, Québec, and Nova Scotia), reporting an unfit driver is at the physician’s discretion.
- Toms v. Foster (1994); Spillane v. Wasserman (1992).
- Smith v. Jones (1999). The Supreme Court of Canada did not follow American cases, such as Tarasoff v. Regents of University of California (1976), which have imposed a separate “duty to warn” on physicians.
- An act to protect persons with regard to activities involving firearms, L.R.Q. c. P-38.001.
- Canadian Medical Association, “CMA Code of Ethics,” 2004. Accessed December 18, 2014 from: https://www.cma.ca/En/Pages/code-of-ethics.aspx