■ Duties and responsibilities:

Expectations of physicians in practice

Privacy requirements are getting stricter: What physicians need to know

A woman using a smartphone

4 minutes

Published: January 2024

The information in this article was correct at the time of publishing

In an effort to address the growth in data collection and respond to increasing cybersecurity risks, the provincial and federal governments have amended existing privacy laws or introduced new laws. These legislative changes impose more onerous obligations on custodians of personal health information and levy harsher penalties for non-compliance.

Under recent amendments to privacy legislation in Ontario and Québec, new obligations will apply to physicians practising in those provinces. Though not yet in force, obligations under the new federal privacy legislation may soon apply to physicians practising in private clinics and offices1 in other provinces and territories.

Personal health information – Custodians and agents

A custodian has custody or control of personal health information. A custodian can be:

  • a health care organization, such as a hospital, pharmacy, or laboratory
  • an individual physician, such as the owner of a clinic and or a physician working as a sole practitioner in their own practice.

In a group practice or clinic, the custodian is typically determined according to how the practice is set up and the applicable definition under the legislation. Custodians are ultimately responsible for personal health information, as well as the actions of their agents.

An agent is someone authorized by a custodian to perform certain activities regarding personal health information. Generally speaking, this includes:

  • physicians practising in hospitals and certain medical clinics
  • administrative staff and other clinical care providers in a medical clinic or hospital.

While agents can access medical records for the purposes of providing clinical care, they must generally seek authority from the custodian to access, use, or disclose personal health information for other purposes. It is therefore essential for physicians to know who is the custodian in their practice setting.

While the new legislative requirements apply largely to physicians who are custodians, all physicians are expected to comply with obligations to protect patient information. The new enforcement powers permit penalties to be imposed against agents who engage in conduct contrary to requirements under the privacy legislation (for example, snooping).

New and more severe penalties for privacy breaches

Ontario and Québec have created new administrative penalties that are the first of their kind in Canada. Administrative penalties of up to $50,000 can be ordered against individuals in both Ontario and Québec for actions such as:

  • failing to report privacy breaches
  • refusing to respond to a patient’s request for access their personal health information
  • not securely disposing of personal health information.

In addition, significant sanctions can now be imposed for more serious or repeated violations of the legislation, such as:

  • the willful, unauthorized disclosure of personal health information
  • using or attempting to use de-identified information to identify an individual
  • impeding a Privacy Commissioner’s investigation.

Sanctions can include fines of up to $200,000 in Ontario and $100,000 in Québec.

Once in force, the same penalties will be imposed under the new federal privacy legislation.

New requirements for consent and privacy impact assessments

Consent: Québec has expanded the requirements necessary for consent to be considered valid for the collection, use, and disclosure of personal information. For example, patients must be made aware of who will have access to their personal information and how long that information will be stored. This information should now be included in privacy policies in Québec.

Once in force, similar consent requirements will apply under the new federal privacy legislation.

Privacy impact assessments: Québec now requires that a privacy impact assessment be conducted before personal information is communicated or stored outside the province, or when developing or overhauling an electronic system that stores or processes personal information. For example, clinics or physicians will generally be required to conduct a privacy impact assessment before an electronic medical records (EMR) system is implemented or changes are made to an existing system.

These changes serve as a reminder of the importance of maintaining compliance with privacy legislation. For physicians who are custodians, compliance includes developing privacy policies, training staff to adhere to privacy measures, and having appropriate safeguards in place. For more information, see CMPA Good practices, Privacy and confidentiality.

Additional reading


  1. Private clinics and offices refer to practice settings that are outside of a hospital, health authority, or other public body.

DISCLAIMER: The information contained in this learning material is for general educational purposes only and is not intended to provide specific professional medical or legal advice, nor to constitute a "standard of care" for Canadian healthcare professionals. The use of CMPA learning resources is subject to the foregoing as well as the CMPA's Terms of Use.