Home Advice & Publications Browse articles Duties and responsibilities Why do you need to know? A balancing act for accessing personal health information

■ Duties and responsibilities:

Expectations of physicians in practice

Why do you need to know? A balancing act for accessing personal health information

Close-up of a young woman intently studying computer screens displaying medical information

6 minutes

Published: September 2020 /
Revised: July 2024

The information in this article was correct at the time of publishing

In brief

  • Accessing a patient’s personal health information for unauthorized purposes or by unauthorized individuals is a breach of patient privacy. This may generate a privacy commissioner investigation or complaint to a regulatory authority (College) or a hospital, and result in a physician facing sanctions.
  • When a physician is not currently providing care for a specific patient but wishes to access that patient’s medical record, the physician should first ensure the custodian of the information has granted approval for such access for the intended purposes. These purposes can include quality improvement activities, teaching, or responding to a medico-legal matter.
  • Before accessing medical records for purposes unrelated to the direct provision of patient care, physicians may consider discussing their information needs with their institution or clinic, and contacting CMPA for advice.

When is viewing a medical record a breach of patient privacy?

Examples of possible privacy breaches

  • Accessing a family friend’s medical history out of curiosity. This would generally be considered “snooping” and would likely constitute a privacy breach and be subject to sanctions.
  • Accessing a former patient’s records when the physician is no longer in the patient’s circle of care. Consider, for example, an emergency physician who treats a patient but does not have any further involvement in the patient’s ongoing care. Several weeks later, she accesses the patient’s chart to review the subsequent treating information and to confirm whether she had provided appropriate care. If the physician has no apparent need to know this information, such access might contravene privacy legislation or health authority/hospital policies.

Exceptions allowing access

There are exceptions under privacy legislation that permit access to patient health information for specified secondary purposes such as for educational purposes and quality improvement activities.

If the physician is not the custodian of the records, they should seek authority from the custodian prior to accessing patient information for purposes unrelated to direct care. Physicians may also wish to consult with CMPA prior to accessing patients’ records when there is no ongoing treating relationship or authorization from either the hospital or the patient.

Who controls access to patient health information?

Physicians may regard patient health information as theirs to use in the course of providing clinical care, guided by their professional judgment to determine what constitutes appropriate use of such information for this purpose.

However, individual patients have the right to determine who may access their health information and under what circumstances. Patients can therefore place conditions or restrictions on which health providers or others can access their information. This is typically achieved through a process called a lockbox or masking, or through disclosure directives, depending on applicable privacy legislation and the functionalities of the electronic records system.

Where a patient makes a request to place limits on who may access their personal health information, the custodian of the medical records is generally obliged to acquiesce to the patient’s wishes unless other legal authorization for the release of information applies.

Office practice

In a solo office practice, the physician is the custodian and therefore controls access to medical records. The physician has a duty to protect patients’ privacy and maintain the confidentiality of patients’ personal information. These obligations also extend to a physician’s office staff.

As part of managing office staff, consider the following safeguards:

  • Require each staff member to sign a confidentiality agreement that details responsibilities concerning patient privacy. It is a good idea to renew the agreement on a regular basis.
  • Have in place a written privacy policy pursuant to the relevant provincial or territorial legislation, and ensure appropriate privacy training is provided to staff and others who may require access to patient records to perform their responsibilities.
  • Communicate to staff that they must obtain a patient’s or substitute decision-maker’s consent before releasing personal health information to the patient’s family members or a third party.
  • Remind staff that they may access a patient’s record only if they have a need to know, such as supporting the provision of healthcare services or for other approved purposes including quality improvement activities.

Shared practice

In a shared practice such as a hospital or clinic, the organization is typically the custodian with access control over medical records. Alternatively, if the physicians maintain patient rosters and records separately, the individual physicians may be the custodians of their patients’ records in a manner similar to a solo office practice.

Institutions typically grant physicians access to patients’ medical records for the purposes of providing clinical care. If physicians wish to access a patient’s information after their involvement in providing care has ended, these physicians should request access from the institution if such access is not already allowed. These purposes can include quality improvement activities as well as teaching or responding to a College or hospital complaint or legal action.

If the institution does not allow access to a medical record for a desired purpose, the physician or other care provider may turn to the patient for the necessary consent.

Physicians may want to encourage their institution or clinic to develop a privacy policy, if one does not already exist, that clarifies permitted access to patient records for quality improvement purposes, teaching, or for responding to a medico-legal matter.

Consider the following before accessing records for a purpose other than providing clinical care:

  • While privacy legislation generally allows access to relevant patient information to respond to a medico-legal matter (e.g. College or hospital complaint), discuss your information needs with your institution or clinic, and contact CMPA before accessing the records.
  • Determine if the use is specifically authorized under the institution’s privacy policy. If not, seek permission from the institution, and be forthcoming about your reasons for requesting access to a patient’s chart.
  • If access to records is ongoing and recurrent, ensure the institution is aware and approves of this use.
  • Do not assume that past consent for the provision of care extends to indefinite access and for purposes unrelated to clinical care.
  • Be aware that built-in audit controls of electronic records systems may automatically detect each instance of access to a record. Be prepared to justify any access that is not required for the provision of clinical care.
  • Become familiar with any legal contract (e.g. data sharing agreement, or inter-physician agreement among a group of physicians) that applies to your use of an electronic records system. (See the Electronic Record Handbook for more information.)

Additional reading

DISCLAIMER: The information contained in this learning material is for general educational purposes only and is not intended to provide specific professional medical or legal advice, nor to constitute a "standard of care" for Canadian healthcare professionals. The use of CMPA learning resources is subject to the foregoing as well as the CMPA's Terms of Use.