■ Professionalism and ethics:

Integrating professional duties, societal expectations and personal wellbeing

Privacy and confidentiality

Hands at a keyboard with superimposed icons of an email symbol, a computer screen, a lock, a text message bubble, a mobile device, and an internet symbol.

Protecting your patient’s personal health information

Published: January 2021
20 minutes

Introduction

Patients share sensitive, often intimate information with their doctors. Physicians have a legal, ethical and professional duty to protect patients’ confidentiality and privacy. The legal duty to keep a patient’s personal health information (PHI) confidential originates from the trust relationship between doctors and patients. Privacy legislation reinforces this duty and requires an individual's consent before their PHI can be accessed, collected, used, or disclosed, subject to specified legal exceptions. The duty of privacy and confidentiality applies to every health provider and staff who has access to medical records.

Trust in the confidentiality of an encounter and the protection of the information recorded as a result encourages the patient to provide their doctor with all relevant information, enabling the physician to determine the diagnosis and treatment, and reducing the possibility of harm for the patient.

Good practice guidance

Circle of care

The "circle of care" is the group of healthcare providers treating a patient who share information to provide that care.

Circle of healthcare providers. Full description follows.

An image of a patient at the centre of a circle. The circle is bound together by a lock, signifying safety and security. The patient is surrounded by words describing elements that encompass the circle of care. These are: Consultant, Physiotherapist, Psychologist, Family Doctor, Social Worker, Massage Therapist, and Nurse.

The concept of the circle of care allows the sharing of patients’ health information between healthcare providers who are providing care to that patient, without seeking the patient’s express consent every time information needs to be exchanged. This allows for the provision of clinical information to colleagues when consulted.

Implied consent

Consent to share information with providers in the circle of care is generally implied. A patient, or their substitute decision-maker, who accepts a referral to another healthcare provider implies consent for sharing relevant information. This includes sharing with physicians and other healthcare providers (like chiropractors, physiotherapists, psychologists, etc.) who are caring for the patient, but does not include others such as family, friends, police, and so on.

Express consent

Express consent is required to share information with people outside the circle of care.

If there is any possibility of doubt about whether or not a physician has the patient’s consent to share information, then seeking express consent is wise. Although verbal consent may be acceptable in many circumstances, frequently there is need for written confirmation. Consent may be confirmed and validated by means of a suitable contemporaneous notation by the treating physician in the patient's record.

Sharing information with the family

Other than a patient’s substitute decision-maker (SDM), family members are not within the circle of care and are not entitled to information about a patient’s care without the express consent of the patient. Generally, if a patient is deemed capable of providing informed consent for treatment, the patient should also be able to authorize the release of their confidential health information.

Typically, minors who are capable of consenting to treatment will also have the capacity to control their personal health information. These minors should understand what information will be released, and to whom, and should be capable of understanding the consequences of disclosing or refusing to disclose their personal health information.

Note: The concept of "mature minor" is not applicable in Québec, where laws specifically define the age of consent (14 years old) and the circumstances in which a minor and/or their parents can consent to the release of the minor's medical records.

Generally, physicians are permitted to disclose PHI where the disclosure is required to contact a relative, friend, or potential SDM if the patient is injured, incapacitated, or ill and unable to give consent personally.

Leaving information on voicemail

As voicemail is often shared among family members or others, it is advisable to regularly confirm with patients their preferred mode of communication. Even if the patient agrees to voicemail communication, it is prudent to leave as little information as possible. Generally, appointment scheduling will be appropriate but avoid leaving any sensitive information on voicemail unless the patient has given instructions to do so, a fact which should be documented in the medical record.

Office staff obligations

As an employer, you are vicariously responsible for the actions of your staff.  It is important to have a clear confidentiality policy that outlines staff expectations for protecting PHI. When orienting staff review your office confidentiality and privacy policy and ask each staff member to sign a confidentiality agreement that highlights the importance of these issues. It is wise to repeat the signature of confidentiality agreements yearly, as a continual reminder of its importance. Educate staff not to discuss patient information, particularly outside of the office. Remind staff to take care that they are not over heard by patients in the waiting room when they are speaking on the phone. Arrange the office to reduce the likelihood of this happening. Similarly remind staff not to divulge patient information to family members or a third party without the patient’s consent.

Health information custodians and agents

A patient’s PHI belongs to the patient but the paper or electronic medical record belongs to the physician or institution/clinic. A health information custodian refers to a person or organization who has custody or control of PHI contained in the medical record. This includes health care organizations such as hospitals, pharmacies, and laboratories, as well as some individual physicians (such as owners of a clinic and physicians working as a sole practitioner in their own practice). The custodian is mandated to protect PHI and to put in place systems and procedures to prevent unauthorized access. As a result, many institutions run random and directed chart access audits that can identify who accessed what record, when and for how long.

An agent is a person who is authorized by a custodian to perform certain activities on its behalf regarding PHI. Generally speaking, this includes physicians practising in hospitals and certain medical clinics, as well as administrative staff in a medical clinic or hospital. Custodians are ultimately responsible for PHI, as well as the actions of their agents.

Accessing information for educational purposes

Many physicians will seek to understand the outcome of their treatment decisions in order to learn from their experience or may wish to present anonymized patient cases at rounds. This long-held tradition of learning from experience nevertheless requires access to patient PHI. As agents within hospitals, physicians, residents and medical students should check with the custodian (in a hospital, it is generally the medical records department or the privacy officer) to determine if they permit access to PHI for educational purposes.

Accessing a patient’s PHI simply out of interest is never permitted.

Third party requests for information

Physicians have a professional obligation to provide reports to a third party, as requested by their patients.  When requests for notes are made informally at the time of a visit, handing the note to the patient allows them to know the contents and to control its distribution. It is wise to document this and put a copy of the note in the record.

Express consent, usually in writing, should be obtained for personal health information sent directly from the doctor to a third party (insurance company, an employer, etc.). The request should indicate what information is requested, and what information the patient is authorizing the custodian to release. If the information is sensitive, or if the patient is not aware of the contents of their medical record, it is wise to confirm the patient understands the information in the record and to seek their direction about what information they wish to divulge.

Interacting with the police 1

Police may sometimes accompany patients in care settings like the emergency department. While physicians may be naturally inclined to cooperate with authorities, patients’ PHI should not be released to the police without the patient’s express consent (or as required by law, such as when the physician receives a court order, search warrant or as a result of a statutory duty to report). A search warrant grants the police broad legal authority to search for and seize evidence and/or information. Physicians should disclose only the PHI listed on the warrant. In hospitals, the responsibility for releasing information lies with the hospital (typically the medical records department) as custodian of the information, not with the individual physician.

Collapse section

In Canada, provincial, territorial, and federal statutory requirements mandate that physicians must report patients who meet specific criteria to the appropriate agencies.

In some instances, if the physician fails to report confidential information to a public authority and thereby fulfil the statutory obligation, the physician may be prosecuted, fined, or face imprisonment. The mandatory reporting requirement is in the interest of protecting the public.

Some examples of mandatory reporting situations include:

  • a child in need of protection (to prevent physical, sexual, or emotional harm, neglect or abandonment)
  • concerns about a patient's fitness to drive (e.g. cars, airplanes, trains, boats — requirements vary by province or territory)
  • patients with certain communicable diseases

Physicians should be aware of their regulatory authority (College) policies for mandatory reporting. To support a trusting physician-patient relationship, physicians should notify patients of their duty to report, when appropriate to do so.

If fulfilling a duty to report requires the disclosure of PHI, physicians will not generally be faulted for breaching confidentiality if they make their report in good faith. The information provided should generally be limited to only that required for the purpose of the report. Legislation establishing a duty to report typically protects physicians from liability for reports made in good faith.2

Collapse section

There are circumstances in law or ethics, in which it is permissible (but not mandatory) for physicians to disclose confidential patient information.

Disclosure to prevent harm

Arising from the decision by the Supreme Court of Canada in the landmark case Smith v. Jones, physicians are permitted (but not obliged) to disclose confidential information to the relevant authorities in the interest of public safety if all of the following conditions are present:

  • There is a clear risk to an identifiable person or group of persons.
  • The risk is one of serious bodily harm or death.
  • The danger is imminent.

The permission to disclose confidential patient information for the purpose of warning a third party is also recognized in the privacy legislation of all Canadian jurisdictions. If time permits, physicians are encouraged to seek specific advice and legal counsel in individual situations concerning the appropriateness and scope of disclosure of information relevant to public safety. Physicians should disclose only sufficient information to prevent the harm. It is advisable to document any disclosure you make, along with your reasoning.

Collapse section

A privacy breach is typically described as any unauthorized access, use, or disclosure of PHI. Breaches most often originate with the inadvertent release of PHI without proper patient authorization. Other unintentional breaches result from unguarded conversations or misdirected communications containing PHI. Deliberate breaches such as inappropriately accessing a patient’s PHI (i.e. “snooping”) may also occur.

Healthcare providers who are unclear about whether they should access patient information should ask themselves two questions:

  • "Do I need this information to provide care to this patient?"
  • "Do I have the patient's consent, implied or expressed, to access this information?"

If the answer to either question is not certain, it would be prudent to obtain express consent before accessing or releasing any information.

Most privacy statutes in Canada also require reporting a privacy breach to affected individuals, the privacy commissioner, the regulatory authority (College), or possibly all three.

Risks of breaching privacy when using videos and photos

Using medical stories or photos of clinical findings has long been a mainstay of medical education. This practice, termed “secondary use” of PHI, may constitute a breach of privacy. Even de-identified videos and photographs may lead to identification of the patient by those who know them or, when digital files are used, through their metadata. Even when de-identified, photos, X-rays, ECGs and other results are considered a patient’s personal health information and express consent for their use and sharing should be sought before they are used in medical education, promotional material, or research.

Collapse section

As medicine and technology have advanced, most physicians are taking advantage of the benefits of e-communications. Electronic health information systems can improve patient care through better sharing of information with specialists and other healthcare providers within the patient's circle of care, and better coordination and access to services, particularly for patients living in remote areas.

One of the major risks of using technology to communicate PHI is that the information will be inadvertently disclosed to someone who should not have it.3 Unlike with traditional paper mail where a piece of paper can be shredded, the digital nature of the information makes deleting the information and preventing its dissemination to countless others, virtually impossible.

Inadvertent disclosure to an unintended recipient can happen in a variety of ways:

  • Wifi networks and telemedicine communications can be unsecure (particularly free wifi networks in public places) and prone to digital piracy;
  • Emails or text messages can be sent to the wrong recipient or be otherwise intercepted;
  • Unauthorized readers can access computer files (hacking);
  • Mobile devices can be lost or stolen.

Communicating with patients electronically

Many patients expect to be able to communicate electronically with the health providers in their circle of care. It can foster patient engagement, improve efficiency of care and facilitate scheduling and reminders. Electronic communication may also save time and unnecessary visits. 

Establishing and documenting a plan with patients regarding electronic communication is a prudent way to manage this mode of communication. It is important to clarify expectations and to discuss the risks of using email, text messaging, or other platforms with patients, taking into consideration whether the desired channel is secure. Patient portals (described below) are likely more secure than email or texting. The CMPA has a template consent to use electronic communication [PDF] that may be used as a basis for informed discussion. Even if the patient's consent is obtained to communicate via electronic means, the physician remains obligated to take reasonable steps to protect their patient's privacy.

Physicians should establish policies and procedures for using electronic communications in their practice. Staff should be informed of the risks with each form of electronic communication and trained to follow the policies and procedures.

Physicians should carefully consider what information may be shared electronically. Providing investigation results via a patient portal or other means can be efficient but it may lead to the possibility that patients misinterpret results. Sharing results electronically is best considered as part of a well thought-out test result follow up plan. Sensitive or urgent information may be more appropriately communicated in person or by telephone.

Patient portals

Patient portals have evolved into interactive, secure tools that can greatly enhance communication between physicians and patients, and help patients better manage their health.4

The multiple functions of web-based portals include:

  • housing patient profiles and medical records
  • providing patient education documents
  • generating alerts and reminders for prescriptions and medication management
  • facilitating the booking of appointments
  • enabling quick review of lab and investigative reports, consultations, and follow-up messages to patients

Important considerations for using portals include:

  • establishing that the portal is secure and accessible only by those who are authorized
  • knowing that the platform meets the requirements of applicable privacy legislation
  • confirming with patients that the portal is not to be used for urgent messages or time sensitive issues
  • obtaining the patient’s consent and submitting a terms of use agreement online before granting a password and access to the portal

Smartphone recordings

The ubiquitous presence of smartphones has led to more requests by patients to record their interaction with their physician. Often, patients have very valid reasons for wanting to do so. They may wish to have an accurate record of the advice provided, or to be able to share the information with family members. It may be possible, with an understanding of the reason underlying the request, to meet the patient’s needs without recording the entire encounter. For instance, it may be possible to record only the discharge instructions or informed consent discussion, if the patient wants the recording to serve as a memory aid.

Physicians are free to accept or decline a request from a patient to record the encounter. Some physicians may, for example, find that the anxiety of being recorded impedes their usual natural flow of conversation and that recording a discussion may not be conducive to an optimal physician-patient relationship. If declining to create a recording, it is important to explain the reasons for the decision and to offer to continue with the encounter regardless. If the patient insists on recording, physicians will have to use their discretion on whether or not to continue the appointment. If the physician perceives the request to be due to a lack of patient confidence in the physician-patient- relationship, efforts should be directed at remedying that issue.

Any recording made at the time of the clinical encounter (i.e. contemporaneously) could be considered part of the medical record5 and physicians are advised to make a note of the fact a recording was made and, if feasible, to keep a copy of the recording in the medical record.

If patients wish to record their visit:

  • Ask them what they are hoping to achieve with the recording
  • Seek consensus on any better alternatives to achieve the same goals, such as recording part, but not all, of the encounter
  • Obtain a copy of the recording for the medical record

If there are concerns about the reliability of a copy of the recording from the patient, the physician may decide to:

  • offer to record the encounter and to provide a copy to the patient
  • make their own recording at the same time as the patient.

Although Canadian law allows patients to record their clinical encounter without their physician’s consent, the same does not hold true for physicians. Physicians who wish to make their own recording of patient encounters must first obtain their patient’s express consent.6

Physicians are responsible for protecting the privacy and confidentiality of all their patients as well as their staff. Recordings in an office waiting room, curtained treatment area (as opposed to private rooms) or other public places could capture identifiable audio or video information about another patient or staff member and lead to an allegation of a privacy breach against the physician. Being prepared to discuss these concerns with patients will facilitate the discussion when refusing to allow a recording to go ahead.

Physicians should prepare for patient recordings and consider adopting a policy on the use of smartphones and other recording devices in their offices. Any policy should distinguish between what is allowed in public spaces and in private areas. At a minimum, physicians should consider whether it is necessary to prohibit patients from taking photos and making video and audio recordings in the waiting room or other public areas to protect the privacy of patients and staff members.

Healthcare providers are likely, over the course of their career, to be recorded without their knowledge, and their communication style should reflect this possibility. Being recorded need not be a concern if healthcare professionals always behave as though they are being recorded by:

Collapse section

Communicating with colleagues electronically is perceived by many to be a more efficient means of communication compared to pagers or telephone calls. It can facilitate remote consultations and provide a sharing forum for medical education, however, because texting typically lends itself to a casual style of communication, it may be seen as abrupt or unprofessional.7 Additionally, face-to-face interactions with patients or other care providers might be disrupted when engaged in a text conversation. A mindful approach to the use of texting can help foster healthy relationships with message recipients and persons in the clinical environment.

Prior to sharing any patient information — whether by text, email, or other electronic medium — it is important to consider whether the recipient of the shared information is in the circle of care. When sharing identifiable information outside the circle of care — be it for research, teaching, or learning — it is generally necessary to obtain express consent. Not doing so could result in a privacy breach with serious consequences.

Privacy considerations

Despite the convenience of email, text messaging and other communication platforms, these methods of eCommunication are often the least secure and the least private. Physicians who communicate via email, text, social media, or web portals need to be mindful they are governed by the same legal and professional standards as would apply in other professional settings (e.g. a hospital setting, family practice, or clinic). Relevant regulatory standards include federal, provincial or territorial privacy legislation, or guidelines published by medical regulatory authorities (Colleges).

To minimize the risk of a privacy breach, it is important to take the following actions.

Use encryption

Physicians have an obligation to protect the confidentiality of their patients' personal health information and to comply with provincial or territorial privacy requirements. Privacy commissioners agree that the use of appropriate encryption software to protect electronic messages and devices (mobile phones, laptops, portable hard drives, USB keys, etc.) is a reasonable safeguard under the circumstances. Encrypting data is the digital equivalent of handcuffing a briefcase to one’s writs. Various enterprise solutions (e.g. patient portals) can provide encryption, and an increasing number of encryption applications are available for use on personal devices such as smartphones.

Obtain patient consent

If using encryption is not possible, physicians considering using unsecured or unencrypted email or text messaging should do so only for information that does not include identifiable personal health information (e.g. scheduling, reminders).

In addition, the patient should be informed about and understand:

  • how these messages will be used
  • the type of information that will be sent
  • how the emails or texts will be processed
  • the risks of using email or text messages

The discussion and patient's informed consent should be documented in the medical record.

Obtaining the patient's consent or using disclaimers in emails does not obviate a physician's legal and professional obligations to reasonably protect patient health information. Physicians should train their staff on privacy requirements and have signed confidentiality agreements.

Have a real conversation

Finally, there are times when face-to-face (or at least person-to-person) communication may simply be more appropriate. Examples include conveying sensitive test results or transferring patients requiring more complex care to a colleague, where interpreting nonverbal cues or giving feedback may be essential to the interaction.

Collapse section

Society expects that physicians will adhere to the highest standards of professionalism. As a result, posting on social media, whether in a personal or professional capacity, may lead to unintended consequences.

Engaging on social media offers opportunities and innovative options for learning and sharing information, but it also comes with risks. The consequences of unprofessional behaviour on social media are often more significant because of its reach (potential to go "viral") and permanency (leaves a permanent electronic or digital footprint). Once posted or recorded, the ability to retract a comment, photo, or video is very limited. Having different personal and professional accounts is one way to manage one’s digital presence but people may not differentiate between one platform and the other. It is imperative to remain professional and to respect confidentiality at all times.

When using social media, be it on a personal or professional account:

  • Assume all content on the internet is public and available to all.
  • Review and comply with your College's policies or guidelines on the use of social media.
  • Establish and follow a personal policy on the use of social media and follow it.
  • Outline the same expectations for your staff.
  • Make your guidelines known to patients, colleagues and other providers.
  • Respect patient privacy.
  • Do not provide personalized medical advice outside of formal telemedicine/virtual care settings.
  • Do not abuse or denigrate colleagues, patients, or organizations.
  • Think twice before posting.

Collapse section

Checklist: Privacy and confidentiality

Protecting the confidentiality and privacy of patients’ personal health information (PHI)

Do you:

  • Ask yourself whether you need to access the patient’s PHI to provide care to the patient?
  • Have the patient’s consent to access their PHI?
  • Share patient information only with those in the circle of care?
  • Ensure you have express consent or other legal authority before sharing information outside the circle of care?
  • Document express consent in the medical record?
  • Obtain express consent from a mature minor before sharing information with the parents or family?
  • Confirm with patients their preferred mode of communication with the office?
  • Avoid leaving sensitive information on voicemail?
  • Have a confidentiality and privacy policy for the office?
  • Arrange for all office staff to review and sign your privacy and confidentiality policy?
  • Check with the hospital authority before accessing any PHI for non-clinical purposes?
  • Obtain and document express consent for any information sent directly to third parties?
  • Notify the patient if any information to be divulged to a third party is sensitive?
  • Refuse to provide a patient’s PHI to the police unless you have received express consent from the patient or as required by law (subpoena, court order, or search warrant)?

Collapse section

Do you:

  • Know the federal, provincial, or territorial statutory requirements for reporting specific patients to appropriate authorities?
  • Comply with the regulatory authority (College) policies for mandatory reporting?
  • Notify the patient, when appropriate, of your mandatory duty to report?
  • Disclose only the information necessary to satisfy the reporting obligation?

Collapse section

Before you use electronic communication, do you:

  • Consider whether personal conversation is more appropriate?
  • Determine whether the communication is within the circle of care?
  • Obtain express (written) consent of the patient to communicate electronically?
  • Use encryption software?
  • Know and follow your College’s policy and standards on the matter?
  • Share only essential clinically relevant information?

Collapse section

Do you:

  • Know that the portal is secure and accessible only by those who are authorized?
  • Know that the platform meets the requirements of applicable privacy legislation?
  • Confirm with patients that the portal is not to be used for urgent messages or time sensitive issues?
  • Obtain the patient’s consent and submit a terms of use agreement online before granting a password and access to the portal?

Collapse section

Have you:

  • Established a policy for patient recordings?
  • Considered whether it is necessary to prohibit patients from taking photos and making video and audio recordings to protect the privacy of others?
  • Considered that the patient may be recording the conversation without your knowledge?

If patients wish to record their visit, do you:

  • Ask them what they are hoping to achieve with the recording?
  • Seek consensus on any alternatives to achieve the same goals?
  • Obtain a copy of the recording for the medical record?
  • Document, in the medical record, that a recording was made?

If you wish to record a patient visit (using audio, video, or photos), do you:

  • Obtain the patient’s consent?

If declining the patient’s request to record the visit, do you:

  • Explain the reasons for your decision?
  • Offer to continue with the encounter?
  • Document your discussion?

Collapse section

When communicating electronically with colleagues, do you:

  • Consider whether a personal conversation is preferable?
  • Consider whether the recipient of the shared information is in the circle of care?
  • Have patient consent for sharing information electronically?
  • Remain mindful that de-identified medical stories or photos might be identifiable by others through metadata?
  • Use appropriate encryption software?

If using unsecured or unencrypted email or text messaging, do you:

  • Limit its use to administrative tasks (i.e. scheduling)?
  • Refrain from sending personal health information?
  • Obtain informed consent including discussing with patients:
    • how these messages will be used?
    • the type of information that will be sent?
    • how the emails or texts will be processed and stored?
    • the risks of using email or text messages?
  • Document the consent in the medical record?

Collapse section

When using social media, do you:

  • Remain committed to being professional?
  • Assume all content on the internet is public and available to all?
  • Review and comply with your College's policies or guidelines on the use of social media?
  • Have personal guidelines on the use of social media, including expectations for your staff?
  • Make your guidelines known to patients, colleagues, and other healthcare providers?
  • Protect patient privacy?
  • Avoid posting any personalized medical advice?
  • Show respect for colleagues, patients, or organizations?
  • Always consider the consequences before posting?

Collapse section


References

  1. Canadian Medical Protective Association [Internet]. Ottawa (ON): CMPA; 2019 Nov. Physician interactions with police. Available from: https://www.cmpa-acpm.ca/en/advice-publications/browse-articles/2011/physician-interactions-with-police
  2. Canadian Medical Protective Association [Internet]. Ottawa (ON): CMPA; 2015 Mar. When to disclose confidential information. Available from: https://www.cmpa-acpm.ca/en/advice-publications/browse-articles/2015/when-to-disclose-confidential-information
  3. College of Physicians and Surgeons of Ontario [Internet]. Toronto (CA): CPSO; 2000. Protecting Personal Health Information [updated 2020 March]. Available from: https://www.cpso.on.ca/Physicians/Policies-Guidance/Policies/Protecting-Personal-Health-Information
  4. Canadian Medical Protective Association [Internet]. Ottawa (ON): CMPA; 2016 Jan. Using electronic communications, protecting privacy. Available from: https://www.cmpa-acpm.ca/en/advice-publications/browse-articles/2013/using-electronic-communications-protecting-privacy
  5. Canadian Medical Protective Association [Internet]. Ottawa (ON): CMPA; 2016 Sept. Medical-legal handbook for physicians. Version 8.2. Available from: https://www.cmpa-acpm.ca/documents/10179/24891/com_16_MLH_for_physicians-e.pdf
  6. Canadian Medical Protective Association [Internet]. Ottawa (ON): CMPA; 2017 Mar. Smartphone recordings by patients: Be prepared, it’s happening. Available from: https://www.cmpa-acpm.ca/en/advice-publications/browse-articles/2017/smartphone-recordings-by-patients-be-prepared-it-s-happening
  7. Canadian Medical Protective association [Internet]. Ottawa (ON): CMPA; 2019 June. Texting safely about patient care: Strategies to minimize risk. Available from: https://www.cmpa-acpm.ca/en/advice-publications/browse-articles/2019/texting-safely-about-patient-care
CanMEDS: Communicator, Professional

DISCLAIMER: The information contained in this learning material is for general educational purposes only and is not intended to provide specific professional medical or legal advice, nor to constitute a "standard of care" for Canadian healthcare professionals. The use of CMPA learning resources is subject to the foregoing as well as the CMPA's Terms of Use.